[FortiManager] A restricted admin can access SD-WAN ORCHESTRATOR panel

Summary

An improper access control vulnerability [CWE-284] in FortiManager may allow an authenticated attacker with a restricted user profile to access the SD-WAN Orchestrator panel via directly visiting its URL.

Affected Products

FortiManager versions 6.4.0 to 6.4.3.
FortiManager versions 6.2 and below are NOT impacted.

Solutions

Please upgrade to FortiManager version 6.4.4 or above.
Please upgrade to FortiManager version 7.0.0 or above.

Acknowledgement

Fortinet is pleased to thank Danilo Costa from Sigma Telecom for reporting this issue under responsible disclosure.

Timeline

2021-08-03: Initial publication