FortiAuthenticator - "Mandatory password and OTP" setting not enforcing OTP on unimported remote users

Summary

An incorrect implementation of authentication algorithm vulnerability [CWE-303] in FortiAuthenticator may allow an user whose LDAP account is unimported to bypass the second factor of authentication via a RADIUS login portal.

Version Affected Solution
FortiAuthenticator 6.4 6.4.0 Upgrade to 6.4.1 or above

Acknowledgement

Fortinet is pleased to thank Gerard Gerritsen from Municipality of Ede for reporting this vulnerability under responsible disclosure.