PSIRT Advisories

FortiOS - Improper Inter-VDOM access control

Summary

An improper access control vulnerability [CWE-284] in FortiOS may allow an authenticated attacker with a restricted user profile to gather sensitive information and modify the SSL-VPN tunnel status of other VDOMs using specific CLI commands.

Affected Products

FortiGate version 7.0.3 and below.
FortiGate version 6.4.8 and below.

Solutions

Please upgrade to FortiGate version 7.0.4 or above.
Please upgrade to FortiGate version 6.4.9 or above.

Acknowledgement

Fortinet is pleased to thank Alexis La Goutte for reporting this vulnerability under responsible disclosure.