PSIRT Advisories

FortiADC -- Read-Only user able to modify system files

Summary

An improper privilege management vulnerability [CWE-269] in FortiADC may allow a remote authenticated attacker with restricted user profile to modify the system files using the shell access.

Affected Products

FortiADC version 6.2.1 and below.
FortiADC version 6.1.5 and below.
FortiADC version 6.0.4 and below.
FortiADC version 5.4.5 and below.
FortiADC version 5.3.7 and below.

Solutions

Please upgrade to FortiADC version 6.2.2 or above.
Please upgrade to FortiADC version 7.0.0 or above.

Acknowledgement

Fortinet is pleased to thank Danilo Costa from Conviso Application Security for reporting this vulnerability under responsible disclosure.