Active Exploitation Attempts Detected Against FortiWeb Vulnerability (CVE-2025-52970)

FortiWeb, a widely-used web application firewall (WAF) developed by Fortinet, has been identified with a critical vulnerability tracked as CVE-2025-52970. While a technical exploitation document exists, there is no publicly available proof-of-concept (POC) at this time. However, reports indicate that an individual has successfully reverse-engineered the document and is actively attempting to exploit the vulnerability. This situation is concerning as it suggests that attackers are already trying to exploit this vulnerability despite the absence of a public POC. The exploitation attempts have been observed on three separate FortiWeb honeypots managed by the reporter. The attacks originate from the IP address 103.172.81.140, which is linked to NEXET LIMITED. The attack pattern involves specific GET requests with identical payloads, indicating a consistent exploitation method. The vulnerability in FortiWeb could potentially enable attackers to bypass security controls, access sensitive data, or even gain control of the protected web applications. Given that FortiWeb is designed to defend against such attacks, a vulnerability in the WAF itself is particularly troubling. The active exploitation attempts of this vulnerability underscore the urgency for organizations to address this issue promptly. The discovery and active exploitation attempts of this vulnerability highlight the ongoing challenges in securing web applications. WAFs are crucial components of web application security, and vulnerabilities in these systems can have significant consequences. This incident serves as a reminder of the importance of timely patching and the need for robust security measures beyond perimeter defenses. Organizations using FortiWeb should immediately check for updates or patches from Fortinet to address this vulnerability. If no patch is available, consider implementing temporary mitigations such as blocking the IP address 103.172.81.140. Enhance monitoring and detection capabilities to identify any unusual activity or exploitation attempts. Given that the payload is consistent, it may be possible to create specific detection rules. While WAFs are essential, they should not be the sole line of defense. Implementing a defense-in-depth strategy, including regular vulnerability assessments, intrusion detection systems, and robust access controls, can help mitigate the impact of such vulnerabilities. Stay in close contact with Fortinet for updates and guidance on mitigating this vulnerability. Vendors often provide workarounds or temporary fixes until a permanent patch is available. In conclusion, the active exploitation attempts against CVE-2025-52970 in FortiWeb are a significant concern for organizations relying on this WAF. Immediate action is required to mitigate the risk, and a comprehensive security strategy should be employed to protect against such vulnerabilities in the future.