FortiWebManager allow any/blank password for admin login though password is configured

Summary

FortiWebManager 5.8.0 fails to check the admin password, granting access regardless the provided string.

Affected Products

Only FortiWebManager 5.8.0 is affected.

Solutions

Users on FortiWebManager 5.8.0 must upgrade to 5.8.1.

Acknowledgement

Fortinet is pleased to thank Abdulaziz Alrushaid of Saudi Aramco for reporting this vulnerability under responsible disclosure.