The recommended mitigation steps for compromised FortiWeb VM and hardware devices are listed below:

1. Isolate the device to prevent active exploitation.
2. Back up the configuration (System -> Maintenance -> Backup & Restore, CLI config) and log files, including event logs and debug files (System -> Maintenance -> Debug). First, enable the 'Debug' option from the  System -> Config -> Feature Visibility menu if it is not already enabled.
3. If Threat Analytics is enabled, disable it before proceeding. 

config system global

    set threat-analytics disable

end

4. Take a snapshot of the VM before shutting it down. Deploy a fresh VM with the same version of the configuration backup file available.
5. Follow the Clean Install procedure for the hardware models.
6. Before restoring the configuration, review it to ensure no attacker modifications, such as malicious admin accounts or policies, are in place. Restore only from a known clean backup config.
7. Restore configuration (System -> Maintenance -> Backup & Restore) and then upgrade immediately to the latest patch of the active branch. If applicable, check recommendations for the vulnerabilities on FortiGuard PSIRT Advisories.
8. Hardening after the upgrade:

• Verify all users. Remove any unauthorized accounts.
• Reset all admin passwords, and also reset all configured passwords used in backup/restore and other locations.
• If a User/PKI User is configured, delete and renew the certificates.
• If any User/Remote Server is configured (such as LDAP, RADIUS, TACACS, or reCAPTCHA), reset the associated passwords and also delete and renew the certificates.
• Remove all SSH keys, and renew them if any were configured under the 'config system admin'.
• Enable Trusted Hosts for all admin accounts (limit access by management IPs).
• Reapply the valid license (ensure at least a 90 minutes gap if reusing the same license).
• Do not use the Fortinet factory default certificate and renew any SSL certificates that may have been exposed.