FortiManager & FortiAnalyzer - Improper validation of dispatcher socket parameters


A server-side request forgery (SSRF) (CWE-918) vulnerability in FortiManager and FortiAnalyser GUI may allow a remote and authenticated attacker to access unauthorized  files and services on the system via specifically crafted web requests.

Affected Products

FortiManager versions 7.0.0
FortiManager versions 6.4.5 and below.
FortiManager versions 6.2.7 and below.
FortiManager versions 6.0.x
FortiManager versions 5.6.x

FortiAnalyzer versions 7.0.0
FortiAnalyzer versions 6.4.5 and below.
FortiAnalyzer versions 6.2.7 and below.
FortiAnalyzer versions 6.0.x
FortiAnalyzer versions 5.6.x


Please upgrade to FortiManager 7.0.1 or above.

Please upgrade to FortiManager 6.4.6 or above.

Please upgrade to FortiManager 6.2.8 or above.


Please upgrade to FortiAnalyzer 7.0.1 or above.

Please upgrade to FortiAnalyzer 6.4.6 or above.

Please upgrade to FortiAnalyzer 6.2.8 or above.


Fortinet is pleased to thank Clément Amic, Pierre Milioni and Adrien Peter from Synacktiv for reporting this vulnerability under responsible disclosure.