A new zero-day vulnerability has emerged affecting Fortinet devices, specifically related to a path traversal issue. This flaw allows attackers to exploit an API endpoint, potentially creating unauthorized admin accounts on affected systems. The payload targets the endpoint `/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi` through an HTTP POST request. This vulnerability is being actively exploited, with various indicators of compromise (IOCs) already identified, including specific usernames and passwords, as well as several IP addresses associated with malicious activity. The vulnerability primarily impacts versions of FortiWeb below 8.0.2. Reports indicate that the API endpoint in question is unique to FortiWeb, distinguishing it from Fortigate, which uses a different versioning scheme. Shodan scans reveal a lower exposure for FortiWeb compared to Fortigate, suggesting a smaller attack surface but still warranting caution. The payload has been observed in the wild, prompting concern and the need for immediate investigation by affected users. WatchTowr has demonstrated the exploit, showing a failed login followed by a successful one when the payload is executed. Users with exposed management interfaces on their Fortinet devices are advised to take action to secure their systems. The report emphasizes the importance of intel sharing among security professionals to combat these threats effectively.