Fortinet FortiWeb Authentication Bypass Flaw Actively Exploited

Estimated reading time: 10 minutes

Key takeaways:

  • Critical authentication bypass vulnerability (CVE-2025-52970) in Fortinet FortiWeb is under active exploitation.
  • INC Ransom group claims responsibility for Pennsylvania Attorney General data breach.
  • Jaguar Land Rover suffers significant financial loss due to cyberattack.

Table of Contents:

Fortinet FortiWeb Authentication Bypass Flaw

A critical authentication bypass vulnerability, CVE-2025-52970, is under active exploitation in Fortinet’s FortiWeb Web Application Firewall (WAF). This flaw allows attackers to log in as any existing user by sending crafted requests. The vulnerability stems from improper parameter handling. While exploiting it requires some non-public information, the potential for privilege escalation and remote code execution makes it a significant risk.

Analysis of the FortiWeb Authentication Bypass Flaw

The widespread deployment of FortiWeb WAF appliances means that exploitation of this vulnerability is a major concern for many organizations. The surge in attacks began after a partial proof-of-concept exploit was made public in August 2025. This allowed threat actors to indiscriminately target exposed FortiWeb instances.

Despite Fortinet releasing patches in version 8.0.2 and later, many organizations still use outdated devices. Security researchers have reported dozens of confirmed compromises as a result. This exploitation highlights how quickly attackers can weaponize new vulnerabilities, especially in critical edge devices such as WAFs, which are designed to protect sensitive web assets.

Cybersecurity analyst reviewing FortiWeb login logs for exploit attempts

The impact of this vulnerability includes:

  • Unauthorized Access
  • Privilege Escalation
  • Potential for Code Execution

To mitigate this risk, security teams should immediately scan all internet-facing FortiWeb devices, apply the necessary patches, and monitor for unusual authentication activity. Reviewing logs for unexpected user creations or suspicious login attempts can also indicate attempted or successful exploitation.

Technical Details and Indicators of Compromise

The vulnerability, identified as CVE-2025-52970, affects Fortinet FortiWeb. Successful exploitation can allow attackers to gain unauthorized access, escalate privileges, and potentially execute code.

Indicators of Compromise:

  • CVE: CVE-2025-52970

Remediation Steps for FortiWeb Vulnerability

To address this vulnerability, the following steps should be taken:

  1. Update FortiWeb: Immediately update FortiWeb to version 8.0.2 or later. This update is the only permanent fix for CVE-2025-52970.
  2. Scan for Vulnerable Systems: Use tools such as watchTowr’s Detection Artefact Generator to identify vulnerable FortiWeb appliances.
  3. Disable External Access: Disable external access to the FortiWeb management interface until patching is complete.
  4. Review Authentication Logs: Examine authentication logs for anomalies, such as unexpected user creations or suspicious login attempts.
  5. Remove Unauthorized Accounts: Remove any unauthorized accounts that may have been created through exploitation attempts.
  6. Implement Network Segmentation: Enable strict network segmentation to limit exposure of FortiWeb appliances to the public internet.
  7. Apply Hardening Configurations: Implement strong access control policies and IP whitelisting for admin interfaces.
  8. Monitor for Privilege Escalation: Monitor for signs of privilege escalation or remote code execution, such as unusual system changes or configuration modifications.
  9. Conduct Incident Response Review: If exploitation is suspected, conduct a full incident response review, checking for persistence mechanisms or lateral movement.
  10. Stay Updated: Keep informed of Fortinet PSIRT advisories to stay aware of patches, exploit activity, and mitigation guidance.

INC Ransom Claims Responsibility for Pennsylvania Attorney General Data Breach

The Pennsylvania Attorney General’s office (OAG) confirmed a data breach following a ransomware attack in August 2025. The INC Ransom group claimed responsibility, stating they stole 5.7TB of files from the OAG’s network. The stolen data included personal and medical information. The OAG refused to pay the ransom.

On August 9th, the attackers took down systems and services on Pennsylvania OAG’s network, including the office’s website, employees’ email accounts, and landline phone lines.

Cybersecurity expert Kevin Beaumont found that the Pennsylvania AG’s network had several public-facing Citrix NetScaler appliances vulnerable to ongoing attacks exploiting a critical vulnerability (CVE-2025-5777) known as Citrix Bleed 2.

INC Ransom is a ransomware-as-a-service (RaaS) operation that surfaced in July 2023. They have targeted organizations worldwide, including entities in education, healthcare, government, and corporations such as Yamaha Motor Philippines, Scotland’s National Health Service (NHS), Ahold Delhaize, and Xerox Business Solutions (XBS).

This incident marks the third ransomware attack on Pennsylvania state entities. In 2020, Delaware County paid a $500,000 ransom after a DoppelPaymer attack, and in 2017, a ransomware attack affected the Pennsylvania Senate Democratic Caucus’ network.

Jaguar Land Rover Suffers Significant Financial Loss Due to Cyberattack

British car manufacturer Jaguar Land Rover (JLR) reported a loss of £680 million ($896 million) for the three months ending in September. This loss was significantly influenced by a cyberattack that halted vehicle production.

The production halt resulted in a £485 million ($639 million) loss, compared to a £398 million ($424 million) profit in the same period the previous year. Additionally, JLR incurred £196 million ($258 million) in cyber-related exceptional costs related to responding to the attack.

Adrian Mardell, JLR’s outgoing chief executive, attributed the company’s performance to the cyber incident and the impact of U.S. tariffs. He said the company prioritized client, retailer, and supplier systems during the recovery.

A monitoring group estimated the shutdown would cost the British economy £1.9 billion ($2.5 billion), affecting over 5,000 organizations, from JLR’s manufacturing supply chain to dealerships. This highlights the wide-ranging impact of cyberattacks on supply chains. Supply-chain risk monitoring is crucial for organizations of all sizes.

Dragon Breath APT Uses RONINGLOADER to Deploy Gh0st RAT

The threat actor Dragon Breath is using a multi-stage loader called RONINGLOADER to deliver a modified version of the Gh0st RAT. This campaign targets Chinese-speaking users.

The attack uses trojanized NSIS installers disguised as legitimate software like Google Chrome and Microsoft Teams. These installers employ various evasion techniques to bypass endpoint security products.

RONINGLOADER attempts to remove userland hooks by loading a fresh “ntdll.dll.” It also tries to elevate privileges and scans for antivirus solutions like Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. The malware terminates these processes.

For Qihoo 360 Total Security, the loader blocks network communication by changing the firewall. It injects shellcode into the Volume Shadow Copy (VSS) service process and uses a signed driver named “ollama.sys” to terminate processes. For other security processes, the loader writes the driver to disk and creates a temporary service to load the driver and terminate processes.

RONINGLOADER also runs batch scripts to bypass User Account Control (UAC) and create firewall rules to block inbound and outbound connections associated with Qihoo 360 security software. It uses techniques to disable Microsoft Defender Antivirus and targets Windows Defender Application Control (WDAC) by writing a malicious policy that blocks Qihoo 360 Total Security and Huorong Security.

The loader injects a rogue DLL into “regsvr32.exe” to conceal its activity and launch a next-stage payload into a high-privilege system process. The final malware deployed is a modified version of Gh0st RAT, which communicates with a remote server to fetch instructions.

Palo Alto Networks Unit 42 identified two interconnected malware campaigns using “large-scale brand impersonation” to deliver Gh0st RAT to Chinese-speaking users. Campaign Trio (February-March 2025) mimicked i4tools, Youdao, and DeepSeek. Campaign Chorus (May 2025) impersonated over 40 applications, including QQ Music and Sogou browser. These campaigns used trojanized installers and complex, multi-stage infection chains to bypass defenses.

Google Patches Actively Exploited Chrome V8 Zero-Day Vulnerability

Google released security updates for Chrome to address two security flaws, including CVE-2025-13223, a type confusion vulnerability in the V8 JavaScript and WebAssembly engine. This vulnerability could allow arbitrary code execution or program crashes.

Clément Lecigne of Google’s Threat Analysis Group (TAG) reported the flaw on November 12, 2025. Google acknowledged that an “exploit for CVE-2025-13223 exists in the wild” but has not shared details on the attackers or targets.

This update addresses the seventh zero-day flaw in Chrome this year. Google also patched another type confusion vulnerability in V8 (CVE-2025-13224), flagged by its AI agent Big Sleep.

Users should update Chrome to versions 142.0.7444.175/.176 for Windows, 142.0.7444.176 for Apple macOS, and 142.0.7444.175 for Linux. Users of other Chromium-based browsers should apply the fixes when available.

Actionable Advice for Technical and Non-Technical Readers

Technical Readers:

  • Patch Management: Implement a rigorous patch management process to promptly apply security updates to all systems, including WAFs, operating systems, and applications. Use a cyber threat intelligence platform to prioritize vulnerabilities based on risk.
  • Vulnerability Scanning: Regularly scan internet-facing assets for known vulnerabilities. Employ automated tools to identify and remediate security weaknesses.
  • Network Segmentation: Segment networks to limit the lateral movement of attackers. Isolate critical systems and data from less secure environments.
  • Endpoint Security: Deploy and maintain endpoint detection and response (EDR) solutions to detect and respond to malicious activity on endpoints.
  • Monitoring and Logging: Implement robust monitoring and logging to detect unusual activity and potential security incidents.

Non-Technical Readers:

  • Awareness Training: Educate employees about common cyber threats, such as phishing and social engineering attacks.
  • Incident Response Plan: Develop and maintain an incident response plan to effectively respond to security incidents.
  • Vendor Risk Management: Assess the security posture of third-party vendors and suppliers. Ensure that vendors have adequate security controls in place to protect sensitive data. Consider implementing supply-chain risk monitoring.
  • Data Backup and Recovery: Regularly back up critical data and test the recovery process to ensure business continuity in the event of a cyberattack.
  • Security Policies: Establish clear security policies and procedures for employees to follow.

PurpleOps offers a suite of services designed to address these challenges, including a cyber threat intelligence platform, real-time ransomware intelligence, and dark web monitoring service. We also provide services for breach detection and supply-chain risk monitoring.

To learn more about how PurpleOps can help you protect your organization from cyber threats, please visit PurpleOps Platform or contact us at PurpleOps Services.

FAQ

What is CVE-2025-52970?
CVE-2025-52970 is a critical authentication bypass vulnerability in Fortinet’s FortiWeb WAF that allows attackers to log in as any existing user.

What versions of FortiWeb are affected?
FortiWeb versions prior to 8.0.2 are affected by CVE-2025-52970.

What is INC Ransom?
INC Ransom is a ransomware-as-a-service (RaaS) operation that surfaced in July 2023.

What is RONINGLOADER?
RONINGLOADER is a multi-stage loader used by the Dragon Breath APT to deliver a modified version of the Gh0st RAT.

What is a zero-day vulnerability?
A zero-day vulnerability is a security flaw that is unknown to the software vendor and for which no patch is available.