Fortinet FortiWeb Flaw: Another Reminder That “Days Without an Incident” Rarely Last Long

Written By Frank Marano

You’ve seen those factory signs proudly declaring X days without an incident. If Fortinet had one, the number would rarely break double digits. And once again, the counter resets to zero.

The Flaw

A newly disclosed path traversal vulnerability in FortiWeb allows attackers to create administrative accounts without authentication. In practice, this means:

  • Attackers can send crafted requests to vulnerable FortiWeb devices.

  • These requests bypass normal checks and drop in new admin accounts with preset usernames and passwords.

  • Once inside, attackers gain full control of the web application firewall — the very tool meant to protect your applications.

This isn’t just bad. It’s “handing out master keys to strangers” bad.

Why It Matters

When attackers can create admin accounts at will, they don’t just compromise the firewall. They gain:

  • Control over traffic inspection and filtering — meaning they can allow malicious traffic through.

  • Access to sensitive applications and data behind the firewall.

  • Persistence — because admin accounts can be used to maintain long‑term access.

In short: the very system designed to protect your business becomes the attacker’s playground.

The Fix

Fortinet has addressed the issue in FortiWeb 8.0.2. If you’re running anything older, patch immediately. But patching once isn’t enough. Attackers thrive on organizations that patch inconsistently or slowly.

The Bigger Picture

This incident highlights a recurring theme: Fortinet always seems to be in the headlines. And when your “days without an incident” counter keeps resetting to zero, it may be time to consider other options.

With Black Friday around the corner, maybe it’s the perfect time to look for a good deal on a new Web Application Firewall. Because attackers aren’t waiting, and neither should you.

How Actionable Security Can Help

At Actionable Security, we know small businesses don’t have the bandwidth to chase every headline. That’s why our TotalProtect 360 service is designed to:

  • Identify unpatched devices across your environment.

  • Build a vulnerability management program tailored to your business.

  • Ensure patches are applied consistently, reducing the window of exposure.

  • Translate technical risk into business impact so you can prioritize what matters most.

Don’t wait for the next Fortinet headline to remind you. Reach out today and let’s make sure your “days without an incident” counter finally climbs higher.

Because nothing says doorbuster deal like keeping attackers out of your apps. 💥🔒

#BlackFridayFirewallSale #PatchOrPerish #FortiOops

Frank Marano https://actionablesec.com
Next

Malware in the Most Unexpected Places: When Your Digital Photo Frame Joins a Botnet