SOC Advisory – Critical Zero-Day Vulnerability in Fortinet FortiWeb – 17 November 2025

Overview

CVE: CVE-2025-61984
Severity: Critical
Date: 17 November 2025

Fortinet has confirmed that a zero-day vulnerability in FortiWeb is being actively exploited in the wild. Exploitation allows unauthenticated attackers to create new administrator accounts on externally-facing FortiWeb Manager panels, potentially enabling complete system takeover. Early exploit activity was observed in October; a proof-of-concept is publicly available.

Affected Versions

All FortiWeb devices prior to version 8.0.2, 7.6.5, 7.4.10 and 7.2.12 which include silent patches for this issue. If your device is internet-facing and uses FortiWeb management interfaces, it is at high risk.

Vulnerability Breakdown

CVE-2025-61984 – FortiWeb Authentication Bypass / Admin Account Creation

• Type: Authentication bypass leading to administrative account creation
• Severity: Critical
• CVSS: 9.8
• Description: Unauthenticated attacker sends crafted HTTP/HTTPS requests to create admin accounts on FortiWeb Manager panel.
• Impact: Full administrative access, ability to alter configurations, pivot deeper into network, potentially persistent control.
• Exploit details: A proof-of-concept exploit has been released; exploitation in the wild confirmed by Fortinet and added to the Known Exploited Vulnerabilities catalogue.

Mitigation

• Upgrade FortiWeb and FortiWeb Manager to version 8.0.2 or later, or the relevant patched builds listed above.
• If you cannot patch immediately:
  • Remove or isolate the management interface from the public internet.
  • Block HTTP/HTTPS access to the management panel from untrusted networks.
  • Audit for new or unexpected administrator accounts and unusual access patterns.
• Monitor networks for signs of account creation, configuration change or unexpected system behaviour.

Summary for IT Teams

Products: Fortinet FortiWeb (WAF) and FortiWeb Manager
Threat Level: Critical
Action Required:

• Upgrade immediately or isolate management interfaces
• Audit admin accounts and configuration logs
• Restrict public exposure of the management plane
• Confirm patch status across all FortiWeb devices

Reference

• Help Net Security
• Fortinet Security Advisory

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.