A relative path traversal vulnerability (CWE-23) in FortiWAN may allow a remote non-authenticated attacker to delete files on the system by sending a crafted POST request. In particular, deleting specific configuration files will reset the Admin password to its default value.
Affected ProductsFortiWAN versions 4.5.7 and below.
Please upgrade to FortiWAN upcoming version 4.5.8 or above. Please upgrade to FortiWAN version 5.1.1 or above. Workaround: Instead of allowing administrative access from any source, restrict it to trusted internal hosts.