The Vulnerability Sitting in Front of Government Websites

In early August, in a sublet apartment on the eighth floor of a high-rise in central Tel Aviv, Aviv Yahav, a vulnerability researcher, opened a debugger and watched a memory address filled with zeros where it should have held a cryptographic secret. The affected system was a Fortinet FortiWeb appliance, a web application firewall deployed by thousands of organizations across the public and private sectors. The missing bytes were the secret used to derive session keys for authenticated user sessions. The bytes that were there were zeros, and anyone aware of this flaw could forge an authentication cookie for any account on the appliance, including the administrative account.

Yahav, who publishes under the handle 0x_shaq on the blog pwner.gg, spent the next several days writing a four-thousand-word technical analysis of the vulnerability. He filed a coordinated disclosure to Fortinet's product-security team and held publication until patches shipped.

On August 13, he posted the write-up. Within a day, the U.S. National Vulnerability Database had linked to his analysis as a third-party advisory for CVE-2025-52970, which Yahav named FortMajeure. Within a week, CISA’s August 18 vulnerability bulletin listed the flaw as High severity, with a CVSS score of 7.7. Fortinet's Product Security Incident Response Team thanked Yahav by name and handle in its advisory FG-IR-25-448.

For much of the past decade, enterprise network defense has operated on the assumption that the perimeter sits behind a security appliance. Organizations deploy web application firewalls, next-generation firewalls, secure web gateways, intrusion-detection systems, and secure-access service-edge platforms to inspect, filter, and authenticate traffic before it reaches the applications underneath. Industry analysts put annual enterprise network-security spending in the tens of billions of dollars. The category has also become a recurring source of vulnerabilities itself. Through a long string of disclosures across Fortinet, Citrix, Ivanti, F5, and Palo Alto Networks, researchers have documented the same pattern. The same appliance designed to block attackers from the public internet is itself reachable from the public internet, and vulnerabilities in the appliance provide attackers with access that the appliance was sold to prevent.

The FortMajeure disclosure was the second serious pre-authentication vulnerability Yahav had surfaced in the same Fortinet product inside a four-week window. The earlier vulnerability, CVE-2025-25257, was a pre-auth memory-corruption flaw that granted unauthenticated remote code execution on affected versions of FortiWeb. Yahav analyzed it publicly in July under the alias he was using at the time. Two serious pre-authentication vulnerabilities affecting the same FortiWeb code area, both disclosed by the same independent researcher within four weeks, have raised a familiar question in security circles: how much scrutiny are the products that sit at the perimeter receiving before they ship? Fortinet has not publicly addressed those broader questions and did not respond to a request for comment.

What distinguishes the disclosure from most CVE reporting is the depth of the public analysis. The pwner.gg write-up walks through the code path step by step, includes a working proof-of-concept exploit, lists the affected version ranges, and recommends detection signatures defenders can apply before patches reach production. The level of detail is closer to a Black Hat conference paper than to the brief technical summary that typically accompanies a CVE. It is what made the disclosure spread quickly across the cybersecurity community. Tenable, the $3.6 billion exposure-management platform, cited the write-up in its customer advisory on August 14. The SANS Internet Storm Center podcast dedicated a six-minute segment to the issue on August 15. BleepingComputer, SecurityWeek, Hackaday, Help Net Security, and the cybersecurity YouTube channel LowLevelTV, which has more than a million subscribers, ran independent coverage through the week that followed.

Yahav has been doing this kind of work since he was a teenager. By 2018, bug-bounty Hall-of-Fame entries from AT&T, Sony, Rockstar Games, AOL.com, and Deutsche Telekom included his name. He has been credited with CVE-2020-7067 against the Zend Engine, the PHP runtime that powers more than half of the world's websites, and CVE-2022-24735 against Redis, the in-memory data store used at the back of a substantial fraction of large web applications. Around the time of the Redis disclosure, he released an open-source Firebase configuration auditing tool that has since been adopted by independent developers and security teams looking to surface misconfigured rules in production deployments. He is also a co-creator of GraphQL Armor, an open-source middleware that protects GraphQL endpoints against the class of query-complexity attacks that have plagued the protocol's enterprise rollouts. A recurring theme in Yahav’s work is his focus on foundational internet infrastructure that many organizations assume has already been thoroughly audited.

Yahav later dropped out of college. In conference talks, he has argued that academic cybersecurity programs struggle to keep pace with rapidly changing attack surfaces. He has repeatedly argued that vulnerability research evolves faster through active reverse engineering than through traditional academic curricula.

The bigger pattern, beyond Fortinet, is one that defenders have been less willing to discuss in public. FortiWeb is, per Fortinet's own customer list, deployed in front of state-government employment systems, treasurer's offices, municipal websites, and a long catalog of enterprise customers across financial services and healthcare. A vulnerability in FortiWeb effectively becomes a vulnerability sitting in front of every application the organization bought FortiWeb to defend. The implications are uncomfortable for chief information security officers. The security appliance, in any organization where it is the load-bearing layer of a public-facing application's defense, is also a single point of failure for that application's exposure. The risk is familiar to defenders, but the deployment pattern has barely changed: vendors keep shipping internet-facing security appliances, customers keep placing them in front of sensitive applications, and researchers keep finding ways through them.

The pwner.gg writeup ends with a one-line acknowledgment of Fortinet's vendor security team, which reviewed the report, validated the bug, and issued patches before public disclosure. That is what coordinated vulnerability disclosure is supposed to look like. In practice, however, that level of coordination is less common than the industry often suggests. In this case, it worked. The patches for affected FortiWeb versions are now available. Whether the broader public-sector deployments Fortinet has named on its own customer page get patched quickly is the part defenders are watching.