SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, November 17th, 2025: New(isch) Fortiweb Vulnerability; Finger and ClickFix
Nov 17, 2025
Fortinet recently admitted to a critical vulnerability in FortiWeb after exploit attempts were discovered. The podcast dives into how attackers use directory traversal and JSON impersonation to access admin functions. It also covers the emerging ClickFix attacks, where malicious PowerShell code tricks users into bypassing security measures. Additionally, learn how attackers leverage the finger.exe binary to retrieve payloads and the importance of monitoring network traffic to detect such threats.
AI Snips
Chapters
Transcript
Episode notes
Silent Patch Created Risk Window
- Fortinet patched a critical FortiWeb flaw weeks before disclosing it, creating an information gap that hindered detection and response.
- The vulnerability let attackers impersonate arbitrary users via fwbcgi directory traversal, enabling admin access.
Honeypots Caught FortiWeb Exploits
- Didier observed active exploitation of the FortiWeb flaw in his honeypots and published attack samples.
- Those honeypot logs confirmed the vulnerability was being scanned and weaponized in the wild.
Assume Compromise And Investigate
- Assume compromise if your FortiWeb admin interface was exposed and you haven't applied the upgrade immediately.
- Don't just patch; investigate for added users, dump credentials, and rotate credentials after recovery.