A newly disclosed vulnerability in Fortinet’s FortiWeb web application firewall, dubbed FortMajeure, allows remote attackers to bypass authentication and impersonate any active user, including administrators.
Tracked as CVE-2025-52970, the flaw arises from an out-of-bounds read in the product’s cookie parsing logic, enabling the use of an all-zero encryption key for session handling. This makes it trivial for attackers to forge valid authentication cookies with minimal effort—especially if the target has an active session at the time of attack.
Security researcher Aviv Y, who responsibly reported the issue to Fortinet, shared a partial proof-of-concept and noted that exploiting the flaw requires brute-forcing a small numeric field in the cookie—typically with a search space of just 30 possible values. Once a valid forged cookie is created using the flawed session handling mechanism, it can be instantly verified, giving the attacker full access to the system.
Fortinet released patches for the vulnerability on August 12, affecting FortiWeb versions 7.0 through 7.6. The issue is resolved in versions 7.0.11, 7.2.11, 7.4.8, and 7.6.4 and later. Fortinet confirmed that FortiWeb 8.0 versions are not affected by this flaw, and no action is required for users on that branch. Admins are urged to update immediately to prevent potential exploitation.
Medical and healthcare IT admins are strongly advised to patch immediately to avoid being compromised.
