CVE-2025-52970

HIGH EXPLOITED NUCLEI

Fortinet FortiWeb <7.6.3 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-52970 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Hex00-0x4, 34zY, imbas007. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-52970, demonstrating an authentication bypass in FortiWeb via SQL injection, leading to remote code execution (RCE) through webshell upload and command execution via HTTP headers.

Description

A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.

Exploits (3)

nomisec WORKING POC 9 stars
by Hex00-0x4 · poc
https://github.com/Hex00-0x4/FortiWeb-CVE-2025-52970-Authentication-Bypass

This repository contains a functional exploit for CVE-2025-52970, demonstrating an authentication bypass in FortiWeb via SQL injection, leading to remote code execution (RCE) through webshell upload and command execution via HTTP headers.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FortiWeb (specific version not specified)
No auth needed
Prerequisites: Access to the vulnerable FortiWeb endpoint · Python environment with required libraries (requests, urllib3)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 8 stars
by 34zY · remote
https://github.com/34zY/CVE-2025-52970

This repository contains a functional exploit for CVE-2025-52970, demonstrating an authentication bypass leading to remote code execution (RCE) on Fortinet FortiWeb. The exploit leverages SQL injection via a vulnerable API endpoint to upload a webshell and achieve command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiWeb
No auth needed
Prerequisites: Network access to the target FortiWeb instance · Vulnerable version of FortiWeb
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC
by imbas007 · pythonremote
https://github.com/imbas007/POC-CVE-2025-52970

This repository contains a functional exploit for CVE-2025-52970, demonstrating an SQL injection vulnerability in FortiWeb that leads to remote code execution (RCE). The exploit chains SQL injection to upload a webshell and execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FortiWeb (version not specified)
No auth needed
Prerequisites: Network access to the target FortiWeb instance
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Fortinet FortiWeb - Authentication Bypass to Admin Privilege
HIGHVERIFIEDby Sourabh-Sahu
Shodan: http.title:"FortiWeb" || http.title:"Fortinet"
FOFA: app="Fortinet-FortiWeb"

References (2)

Core 2

Scores

CVSS v3 8.1
EPSS 0.3051
EPSS Percentile 96.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

VulnCheck KEV 2025-09-04
CWE
CWE-233
Status published
Products (1)
fortinet/fortiweb 7.0.0 - 7.0.11
Published Aug 12, 2025
Tracked Since Feb 18, 2026