FortiAnalyzer, FortiManager - bypass of client-side password change policy enforcement


An improper handling of insufficient permissions or privileges vulnerability [CWE-280] in FortiAnalyzer and FortiManager may allow an authenticated attacker to bypass the device policy and force the password-change action for its user.

Affected Products

FortiManager version 5.6.0 through 5.6.11
FortiManager version 6.0.0 through 6.0.11
FortiManager version 6.2.0 through 6.2.9
FortiManager version 6.4.0 through 6.4.7
FortiManager version 7.0.0 through 7.0.2

FortiAnalyzer version 5.6.0 through 5.6.11
FortiAnalyzer version 6.0.0 through 6.0.11
FortiAnalyzer version 6.2.0 through 6.2.9
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer version 7.0.0 through 7.0.2


Upgrade to FortiAnalyzer version 7.0.3 or above
Upgrade to FortiAnalyzer version 6.4.8 or above

Upgrade to FortiManager version 7.0.3 or above
Upgrade to FortiManager version 6.4.8 or above


Fortinet is pleased to thank Alaa A. Bukhari for reporting this vulnerability under responsible disclosure