A security researcher has disclosed a critical vulnerability in Fortinet’s FortiWeb web application firewall that enables complete authentication bypass, allowing attackers to impersonate any user, including administrators. The flaw, designated CVE-2025-52970 and nicknamed “FortMajeure,” represents a significant security concern for organizations relying on FortiWeb for web application protection.
Technical Details of the Vulnerability
The vulnerability stems from an out-of-bounds read error in FortiWeb’s cookie parsing mechanism. When exploited, this flaw allows attackers to manipulate the “Era” parameter within session cookies, forcing the server to use an all-zero secret key for session encryption and HMAC signing operations.
Security researcher Aviv Y, who discovered and responsibly disclosed the vulnerability, described it as a “silent failure that wasn’t meant to happen.” The technical exploitation involves setting the Era parameter to unexpected values between 2 and 9, which triggers the out-of-bounds read condition and compromises the encryption key system.
Once this condition is achieved, attackers can create forged authentication cookies with trivial effort, effectively bypassing all authentication controls. The exploitation results in complete session hijacking capabilities, enabling attackers to assume the identity of any active user on the system.
Exploitation Requirements and Process
Successful exploitation of CVE-2025-52970 requires two specific conditions:
Active User Session: The target user must have an active session during the attack window, limiting the attack to periods when legitimate users are logged in.
Brute Force Component: Attackers must guess a small numeric field within the cookie structure, validated by the refresh_total_logins() function. However, this presents minimal difficulty as the search space typically ranges below 30 values, requiring approximately 30 requests to complete.
The researcher demonstrated successful exploitation through both REST API endpoints and command-line interface access, showcasing the vulnerability’s broad impact on system access controls.
Affected Versions and Remediation
The vulnerability impacts multiple FortiWeb version branches:
- FortiWeb 7.6: Versions 7.6.0 through 7.6.3
- FortiWeb 7.4: Versions 7.4.0 through 7.4.7
- FortiWeb 7.2: Versions 7.2.0 through 7.2.10
- FortiWeb 7.0: Versions 7.0.0 through 7.0.10
Fortinet released patches on August 12, 2025, addressing the vulnerability in the following versions:
- FortiWeb 7.6.4 and later
- FortiWeb 7.4.8 and later
- FortiWeb 7.2.11 and later
- FortiWeb 7.0.11 and later
FortiWeb 8.0 releases are not affected by this vulnerability and require no action.
Severity Assessment and Industry Response
Fortinet assigned a CVSS v3.1 score of 7.7 (High severity) to this vulnerability. While the scoring reflects “high attack complexity” due to the brute-forcing requirement, security experts note that this component is straightforward to execute in practice, making the vulnerability more dangerous than the score might suggest.
The researcher emphasized that the published proof-of-concept demonstrates the core vulnerability mechanism but lacks sufficient detail for immediate weaponization. The complete exploitation chain requires reverse engineering Fortinet’s proprietary data structures, providing some protection against immediate widespread exploitation.
Responsible Disclosure and Timeline
Following responsible disclosure practices, Aviv Y reported the vulnerability to Fortinet before public disclosure. The researcher has committed to releasing complete exploitation details at a future date, deliberately allowing system administrators additional time to implement patches across their infrastructure.
