Full Report
The Session Cookie on this website contains three parts: Era: Type of session. Payload: Encrypted data with session information, such as the username. AuthHash: SHA1 HMAC hash for the ciphertext of Payload above. This uses the same secret key as the Payload for encryption. This C server selects the shared key based upon the Era value from an array. It decrypts the Payload using the key. Then, it verifies the AuthHash using the key and ciphertext. Pretty simple! The vulnerability lies in the use of the Era value, which should only be 0 or 1. However, there is no check on the value, which leads to an out-of-bounds access. Since this is used for direct access to the key, this is a significant issue. When the Era is 2-9, it will read uninitialized memory! This removes all entropy from the key space, which allows us to encrypt and sign the data ourselves. To run this attack, the target user must have an active session running. Still, it's a pretty sick bug! It's not very often that a memory corruption bug leads to a cryptographic bypass. I believe that as binary exploitation presentation methods become more sophisticated, application-level attack methods will also become more prevalent.
Analysis Summary
# Vulnerability: FortMajeure - Authentication Bypass in FortiWeb
## CVE Details
- **CVE ID:** CVE-2025-52970
- **CVSS Score:** Pending/High (Note: Described by researcher as a significant cryptographic bypass)
- **CWE:** CWE-125: Out-of-bounds Read / CWE-824: Access of Uninitialized Pointer
## Affected Systems
- **Products:** Fortinet FortiWeb
- **Versions:** Reported on FortiWeb-VM 7.6.1, build 1010 (GA.F). Likely affects multiple versions in the 7.x branch.
- **Configurations:** Web-Application-Firewall (WAF) acting as a Reverse Proxy or in other modes where session cookies are processed.
## Vulnerability Description
The vulnerability exists in the `httpd` binary's handling of the `APSCOOKIE_FWEB` session cookie. The cookie consists of an `Era`, `Payload` (encrypted session data), and `AuthHash` (HMAC-SHA1).
The backend uses the `Era` value as an index for a shared memory array to select the secret key for decryption and HMAC verification. The application fails to validate the `Era` value (which should only be 0 or 1). By providing an `Era` value between 2 and 9, the application performs an out-of-bounds read into uninitialized memory. This results in the server using a predictable, all-zero n-bit string as the cryptographic key, effectively removing all entropy and allowing an attacker to craft and sign their own session cookies.
## Exploitation
- **Status:** PoC available (Researcher has demonstrated administrative access via the API).
- **Complexity:** Medium (Requires brute-forcing a session-specific login counter).
- **Attack Vector:** Network (Unauthenticated remote access).
- **Requirement:** A target user must have an active session running on the system for the impersonation to succeed.
## Impact
- **Confidentiality:** High (Access to sensitive API data and system status).
- **Integrity:** High (Ability to impersonate administrative users and alter configurations).
- **Availability:** High (Potential for RCE via CLI endpoints like `/ws/cli/open`).
## Remediation
### Patches
- Users should refer to the official [FortiGuard PSIRT Advisory FG-IR-25-448](https://fortiguard.fortinet.com/psirt/FG-IR-25-448) for the specific patched firmware versions.
### Workarounds
- No specific software workaround is provided; upgrading to the latest patched firmware is the primary remediation.
- Restrict access to the management interface and API endpoints to trusted IP addresses only.
## Detection
- **Indicators of Compromise:** Monitor web logs for `APSCOOKIE_FWEB` values containing `Era` values of 2 or higher (e.g., `Era=2`, `Era=9`).
- **Detection Methods:** Inspect incoming HTTP requests for anomalous session cookie parameters. Monitor for unauthorized administrative API calls originating from unexpected IP addresses.
## References
- FortiGuard Advisory: [https://fortiguard.fortinet.com/psirt/FG-IR-25-448](https://fortiguard.fortinet.com/psirt/FG-IR-25-448)
- Original Research: [https://pwner.gg/blog/fortmajeure-fortiweb-auth-bypass/](https://pwner.gg/blog/fortmajeure-fortiweb-auth-bypass/) (Placeholder link based on context)
- Researcher Community: [https://x.com/i/communities/1940397978730017049](https://x.com/i/communities/1940397978730017049)