Use of hardcoded credentials for communication between Meru access points and FortiWLC


FortiWLC included two hardcoded accounts which were used by Meru Access Points to report core dumps; these accounts had read/write privileges over various parts of the system. Starting with FortiWLC 7.0.13 and FortiWLC 8.4.0, the accounts are now completely removed and do not persist over firmware upgrade.

Affected Products

* FortiWLC 7.0.11 and lower in the 7.x branch
* FortiWLC 8.3.3 and lower in the 8.x branch


* FortiWLC 7.x installations must be upgraded to FortiWLC 7.0.13 or higher * FortiWLC 8.x installations must be upgraded to FortiWLC 8.4.0 or higher


Fortinet is pleased to thank University of Toronto for reporting this vulnerability under responsible disclosure.