FortiGuard Labs | FortiGuard Center - IR Advisories

A fundamental design flaw within the RADIUS protocol has been proven to be exploitable, compromising the integrity in the RADIUS Access-Request process. The attack allows a malicious user to modify packets in a way that would be indistinguishable to a RADIUS client or server. To be successful, the attacker must have the ability to inject themselves between the client and server. Revised on 2025-04-23 00:00:00

A Cleartext Storage of Sensitive Information vulnerability [CWE-312] in FortiClient Windows and FortiClient Linux may permit a local authenticated user to retrieve VPN password via memory dump, due to JavaScript's garbage collector Revised on 2025-04-22 00:00:00

A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice and FortiWeb may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device Revised on 2025-04-22 00:00:00

A use of hard-coded cryptographic key (CWE-321) vulnerability in FortiClient Windows may allow a low-privileged user to decrypt interprocess communication via monitoring named pipe. Revised on 2025-04-16 00:00:00

An Integer Overflow or Wraparound vulnerability [CWE-190] in FortiOS and FortiSASE FortiOS tenant IPsec IKEv1 service may allow an authenticated attacker to crash the IPsec tunnel via crafted requests, resulting in potential denial of service. Revised on 2025-04-11 00:00:00

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb endpoint may allow an authenticated admin to access and modify the filesystem via crafted requests. Revised on 2025-04-08 00:00:00

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in FortiClient may allow the EMS administrator to send messages containing javascript code. Revised on 2025-04-08 00:00:00

An Incorrect User Management vulnerability [CWE-286] in FortiWeb widgets dashboard may allow an authenticated attacker with at least read-only admin permission to perform operations on the dashboard of other administrators via crafted requests. Revised on 2025-04-08 00:00:00

An insufficiently protected credentials [CWE-522] vulnerability in FortiOS may allow a privileged authenticated attacker to retrieve LDAP credentials via modifying the LDAP server IP address in the FortiOS configuration to point to a malicious attacker-controlled server. Revised on 2025-04-08 00:00:00

An Improper Output Neutralization for Logs vulnerability [CWE-117] in FortiManager and FortiAnalyzer may allow an unauthenticated remote attacker to pollute the logs via crafted login requests. Revised on 2025-04-08 00:00:00

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiIsolator may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code via specifically crafted HTTP requests. Revised on 2025-04-08 00:00:00

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiIsolator CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests. Revised on 2025-04-08 00:00:00

An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request. Revised on 2025-04-08 00:00:00

Multiple potential issues, including the use of uninitialized ressources [CWE-908] and excessive iteration [CWE-834] in FortiOS & FortiProxy SSLVPN webmode may allow a VPN user to corrupt memory, potentially leading to code or commands execution via specifically crafted requests. Revised on 2025-04-08 00:00:00

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests.Please note that reports show this is being exploited in the wild. Revised on 2025-03-31 00:00:00

An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiMail may allow a remote, unauthenticated attacker to obtain potentially sensitive software-version information by reading a JavaScript file. Revised on 2025-03-28 00:00:00

An improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in FortiManager, FortiOS, FortiProxy, FortiRecorder, FortiVoice and FortiWeb may allow a remote authenticated attacker with access to the security fabric interface and port to write arbitrary files and a remote unauthenticated attacker with the same network access to delete an arbitrary folder. Revised on 2025-03-20 00:00:00

A stack-buffer overflow vulnerability [CWE-121] in FortiMail CLI may allow a privileged attacker to execute arbitrary code or commands via specifically crafted CLI commands. Revised on 2025-03-19 00:00:00

Multiple instances of incorrect calculation of buffer size in FortiMail webmail and administrative interface and FortiNDR administrative interface may allow an authenticated attacker with regular webmail access to trigger a buffer overflow and to possibly execute unauthorized code or commands via specifically crafted HTTP requests. Revised on 2025-03-18 00:00:00

An Out-of-bounds Write in FortiOS IPSEC daemon may allow an unauthenticated attacker to perform a denial of service under certains conditions that are outside the control of the attacker. Revised on 2025-03-13 00:00:00