[subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A critical authentication bypass vulnerability has been identified in Fortinet FortiWeb, tracked as CVE-2025-52970. This flaw allows unauthenticated remote attackers to impersonate any valid user account on the device without supplying credentials.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A critical authentication bypass vulnerability has been identified in Fortinet FortiWeb, tracked as CVE-2025-52970. This flaw allows unauthenticated remote attackers to impersonate any valid user account on the device without supplying credentials.[emaillocker id="1283"]
- CVE-2025-52970: The vulnerability stems from improper handling of the “Era” cookie parameter, where an out-of-bounds read allows selection of uninitialized or zero-filled encryption keys from shared memory. By manipulating the Era value (e.g., setting it to integers between 2 and 9), attackers can bypass cryptographic validation and forge session data. Successful exploitation requires knowledge of non-public details about the target device and user, an active session for the user, and brute-forcing a short validation parameter—typically achievable in under 30 attempts. With a CVSS v3.1 score of 8.1 (High severity), exploitation can grant full authenticated access, enabling privilege abuse, lateral movement, and further compromise of enterprise networks.
This vulnerability poses a significant risk to organizations using vulnerable FortiWeb versions, especially in internet-exposed deployments.
RECOMMENDATION:
- We strongly recommend you update Fortinet FortiWeb to versions 7.0.11, 7.2.11, 7.4.8, or 7.6.4.
REFERENCES:
The following reports contain further technical details:
[/emaillocker]