PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

On June 16, 2020, cybersecurity researchers from JSOF published a set of 19 vulnerabilities, dubbed Ripple20 that are impacting...

Jul 30, 2020 Risk IR Number: FG-IR-20-104
An improper authentication vulnerability in FortiMail and FortiVoiceEnterprise may allow a remote unauthenticated attacker to...

Apr 27, 2020 Risk IR Number: FG-IR-20-045
Certificates taken out of service could potentially be improperly re-used. Impact detailFortinet has already taken steps to mitigate...

Jul 19, 2019 Risk IR Number: FG-IR-19-144
FortiWLC included two hardcoded accounts which were used by Meru Access Points to report core dumps; these accounts had read/write...

May 04, 2018 Risk IR Number: FG-IR-17-274
FortiWebManager 5.8.0 fails to check the admin password, granting access regardless the provided string.

Nov 22, 2017 Risk IR Number: FG-IR-17-248
Multiple Remote Code Execution vulnerabilities (CVE-2017-9805, CVE-2017-9804, CVE-2017-9793) are affecting Apache Struts.

Sep 29, 2017 Risk IR Number: FG-IR-17-205
FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller....

Jun 30, 2017 Risk IR Number: FG-IR-17-115
Multiple vulnerabilities impacting FortiPortal were disclosed to Fortinet with details as follows:CVE-2017-7337: Improper Access...

May 15, 2017 Risk IR Number: FG-IR-17-114
FortiWLC comes with a hardcoded account named 'core' which is used by Meru Access Points to send core dumps to the FortiWLC and...

Nov 09, 2016 Risk IR Number: FG-IR-16-065
FortiWLC runs a rsyncd server, historically used for High-Availability purpose. This server comes with a hardcoded account, which...

Sep 30, 2016 Risk IR Number: FG-IR-16-029
An undocumented account used for communication with authorized FortiManager devices exists on some versions of FortiOS, FortiAnalyzer,...

Jan 12, 2016 Risk IR Number: FG-IR-16-001
A remote attacker may access the internal ZebOS shell of FortiOS 5.2.3 without authentication on the HA ("High Availability")...

Jul 24, 2015 Risk IR Number: FG-IR-15-020

Oct 21, 2014 Risk IR Number: FG-IR-14-032

Sep 25, 2014 Risk IR Number: FG-IR-14-030
An information disclosure vulnerability has been discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow...

Apr 08, 2014 Risk IR Number: FG-IR-14-011