PSIRT Advisories

FortiWLM upgrade user account hard-coded credentials


FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller. Having the upgrade account credentials would allow an attacker to transfer files to any attached or previously attached controllers as an admin user, thus raising potential further security issues.

Affected Products

FortiWLM version 8.3.0 and lower.


Upgrade to FortiWLM version 8.3.1


Fortinet is pleased to thank Adam Piekarzewski, University of Toronto for reporting this vulnerability under responsible disclosure.