AI description
CVE-2025-52970 is a critical authentication bypass vulnerability affecting Fortinet's FortiWeb web application firewall. It stems from improper parameter handling in the application's cookie parsing mechanism. The vulnerability allows unauthenticated remote attackers to impersonate any existing user on affected systems. The vulnerability exploits an out-of-bounds read issue in FortiWeb's cookie handling code, enabling attackers to force the server to use a predictable, all-zero secret key for session encryption and signing. By manipulating the "Era" parameter in session cookies to values between 2 and 9, attackers can trigger the out-of-bounds read that forces the system to use compromised encryption keys.
- Description
- A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.
- Source
- psirt@fortinet.com
- NVD status
- Analyzed
- Products
- fortiweb
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.9
- Exploitability score
- 2.2
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- psirt@fortinet.com
- CWE-233
- Hype score
- Not currently trending
Researcher reveals exploit for FortiWeb vulnerability CVE-2025-52970 allowing remote auth bypass via cookie manipulation in versions 7.0 to 7.6. Patch available in later releases. #Fortinet #AuthBypass #USA https://t.co/8yGhBpLaHa
@TweetThreatNews
16 Aug 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
FortMajeure: Auth Bypass in FortiWeb (CVE-2025-52970) This vuln is exploitable via two routes: - Impersonation of an admin user in a REST endpoint /api/v2.0/system/status.systemstatus - /ws/cli/open for opening a connection to the FortiWeb CLI Decoy drop for this tomorrow! h
@DefusedCyber
16 Aug 2025
297 Impressions
3 Retweets
11 Likes
1 Bookmark
0 Replies
0 Quotes
#exploit 1⃣ CVE-2025-52970: Authentication Bypass in FortiWeb - https://t.co/W2bRs1mcq9 2⃣ CVE-2025-54887: Ruby-JWE Authentication Tag can be brute forced - https://t.co/y7gwM0JVff 3⃣ CVE-2025-7202: CSRF in Elgato's Key Lights and related light products -
@ksg93rd
15 Aug 2025
95 Impressions
0 Retweets
3 Likes
3 Bookmarks
0 Replies
0 Quotes
FortMajeure: Authentication Bypass in FortiWeb (CVE-2025-52970) https://t.co/5iGsjgiCIE https://t.co/1VtuD8b55E
@secharvesterx
13 Aug 2025
86 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Dropped a new blogpost. CVE-2025-52970: how I turned a limited, blind OOB read primitive into a full authentication bypass in one of Fortinet’s products :) https://t.co/wNmA6gRs0T
@0x_shaq
13 Aug 2025
16998 Impressions
69 Retweets
301 Likes
137 Bookmarks
8 Replies
4 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7E739890-CFEA-4B7B-B78D-8CC8157BDF54",
"versionEndExcluding": "7.0.11",
"versionStartIncluding": "7.0.0"
},
{
"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B642678E-4E31-4A6B-A791-ACD5D332B175",
"versionEndExcluding": "7.2.11",
"versionStartIncluding": "7.2.0"
},
{
"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "CA8DE17C-1756-4B18-A956-A52CFA0967B9",
"versionEndExcluding": "7.4.8",
"versionStartIncluding": "7.4.0"
},
{
"criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2B739434-1979-43F9-AEC1-D287B1BCA5CA",
"versionEndExcluding": "7.6.4",
"versionStartIncluding": "7.6.0"
}
],
"operator": "OR"
}
]
}
]