FortiGuard Labs | FortiGuard Center - IR Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.

Out-of-bounds Write in IPSEC Daemon

An Out-of-bounds Write in FortiOS IPSEC daemon may allow an unauthenticated attacker to perform a denial of service under certains conditions that are outside the control of the attacker. Revised on 2025-02-18 00:00:00

Pervasive SQL injection in DAS component

An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests. Revised on 2025-02-18 00:00:00

FortiOS / FortiProxy / FortiPAM / FortiSwitchManager - Format string vulnerability in CLI commands

A use of externally-controlled format string vulnerability [CWE-134] in FortiOS, FortiProxy, FortiPAM & FortiSwitchManager CLI may allow a privileged attacker to execute arbitrary code or commands via specially crafted requests. Revised on 2025-02-12 00:00:00

OpenSSH regreSSHion Attack (CVE-2024-6387)

CVE-2024-6387A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This could lead to remote code execution with root privileges. Revised on 2025-02-12 00:00:00

Authentication bypass in Node.js websocket module and CSF requests

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests.Please note that reports show this is being exploited in the wild. Revised on 2025-02-11 00:00:00

Disclosure of Logs of Devices not belonging to the Current ADOM from Log View

An Exposure of Sensitive Information to an Unauthorized Actor [CWE-200] in the Log View component of FortiAnalyzer may allow a local authenticated user with admin privileges to view logs of devices not belonging to the current ADOM Revised on 2025-02-11 00:00:00

Improper Authentication in FortiMonitor Agent

An Improper Authentication vulnerability [CWE-287] for FortiClientMac may allow an unauthenticated attacker with local access to the MacOS device to login without a password as a standard user. Revised on 2025-02-11 00:00:00

Improper access control to FortiSslvpnNamedPipe

An Improper Access Control vulnerability [CWE-284] in FortiClient Windows may allow a local user to escalate their privileges via FortiSSLVPNd service pipe. Revised on 2025-02-11 00:00:00

Insertion of sensitive information into Event log

An insertion of sensitive information into log file vulnerabilities [CWE-532] in FortiAnalyzer and FortiManager eventlog may allow any low privileged user with access to event log section to retrieve certificate private key and encrypted password logged as system log. Revised on 2025-02-11 00:00:00

Multiple Reflected and Stored Cross-Site Scripting

Multiple Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerabilities [CWE-79] in FortiSandbox may allow an authenticated attacker to perform cross-site scripting attack via crafted HTTP requests. Revised on 2025-02-11 00:00:00

Multiple arbitrary file deletion in the CLI

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiManager and FortiAnalyzer CLI may allow any authenticated admin user with diagnose privileges to delete any file on the system. Revised on 2025-02-11 00:00:00

OS Command Injections

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [CWE-78] in FortiWeb API endpoints may allow an authenticated attacker with admin privileges to execute arbitrary code or commands on the underlying system via crafted requests. Revised on 2025-02-11 00:00:00

OS command injection in external connector

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiAnalyzer, FortiManager, FortiAnalyzer BigData, FortiAnalyzer Cloud and FortiManager Cloud GUI may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted HTTPS or HTTP requests. Revised on 2025-02-11 00:00:00

Off-by-slash vulnerability in Nginx config

An Improper Resolution of Path Equivalence vulnerability [CWE-41] in FortiPortal may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests. Revised on 2025-02-11 00:00:00

Permission escalation due to an Improper Privilege Management

An incorrect privilege assignment vulnerability [CWE-266] in the FortiOS security fabric may allow an authenticated admin whose access profile has the Security Fabric permission to escalate their privileges to super-admin by connecting the targetted FortiGate to a malicious upstream FortiGate they control. Revised on 2025-02-11 00:00:00

Reflected XSS (cross site scripting) in incident page

Multiple Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerabilities [CWE-79] in FortiSIEM incident page may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests. Revised on 2025-02-11 00:00:00

Stack buffer overflow in fabric service

A stack-based buffer overflow [CWE-121] vulnerability in FortiOS CAPWAP control may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted UDP packets, provided the attacker were able to evade FortiOS stack protections and provided the fabric service is running on the exposed interface. Revised on 2025-02-11 00:00:00

Use of Hard-coded Cryptographic Key to encrypt sensitive data

A use of hard-coded cryptographic key to encrypt sensitive data vulnerability [CWE-321] in FortiManager may allow an attacker with JSON API access permissions to decrypt some secrets even if the 'private-data-encryption' setting is enabled. Revised on 2025-02-11 00:00:00

Unchecked boundary length causing multiple logic flaws

An allocation of resources without limits or throttling [CWE-770] vulnerability in FortiOS may allow a remote unauthenticated attacker to prevent access to the GUI via specially crafted requests directed at specific endpoints. Revised on 2025-01-30 00:00:00

Improper access control in backup and restore features

An improper access control vulnerability [`CWE-284]` in FortiWLM MEA for FortiManager may allow an unauthenticated remote attacker to execute arbitrary code or commands via specifically crafted requests.Note that FortiWLM MEA is not installed by default on FortiManager and can be disabled as a workaround. Revised on 2025-01-27 00:00:00