PSIRT Advisories

The FortiGuard Labs Product Security Incident Response Team (PSIRT) continually test Fortinet hardware and software products, looking for vulnerabilities and weaknesses. Any such findings are fed back to Fortinet's development teams and serious issues are described along with protective solutions in the advisories below.

FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller....

Jun 30, 2017 Risk IR Number: FG-IR-17-115
Multiple vulnerabilities impacting FortiPortal were disclosed to Fortinet with details as follows:CVE-2017-7337: Improper Access...

May 15, 2017 Risk IR Number: FG-IR-17-114
FortiWLC comes with a hardcoded account named 'core' which is used by Meru Access Points to send core dumps to the FortiWLC and...

Nov 09, 2016 Risk IR Number: FG-IR-16-065
FortiWLC runs a rsyncd server, historically used for High-Availability purpose. This server comes with a hardcoded account, which...

Sep 30, 2016 Risk IR Number: FG-IR-16-029
An undocumented account used for communication with authorized FortiManager devices exists on some versions of FortiOS, FortiAnalyzer,...

Jan 12, 2016 Risk IR Number: FG-IR-16-001
A remote attacker may access the internal ZebOS shell of FortiOS 5.2.3 without authentication on the HA ("High Availability")...

Jul 24, 2015 Risk IR Number: FG-IR-15-020

Oct 21, 2014 Risk IR Number: FG-IR-14-032

Sep 25, 2014 Risk IR Number: FG-IR-14-030
An information disclosure vulnerability has been discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow...

Apr 08, 2014 Risk IR Number: FG-IR-14-011
A platform-specific remote access vulnerability has been discovered that may allow a remote user to gain privileged access to...

Apr 02, 2014 Risk IR Number: FG-IR-14-010
Under certain conditions, FortiClient VPN may be susceptible to a certificate validation vulnerability which would allow an attacker...

May 13, 2013 Risk IR Number: FG-IR-13-008