Fortinet Connect admin able to gain root access

Summary

A webui administrator may create a new theme that performs arbitrary code execution on the system.

Affected Products

Fortinet Connect 14.2, 14.10, 15.10 and 16.7

Solutions

A patch is available for the following Fortinet Connect versions: * 16.7.0.1 * 15.10.0.3 * 14.10.0.5 * 14.2.0.12 Please contact Fortinet TAC support to have access to the patches.

Acknowledgement

Fortinet is pleased to thank Spencer Lowe for reporting this vulnerability under responsible disclosure