FortiNAC - Unauthenticated access to administrative operations

Summary

An improper authorization vulnerability [CWE-285] in FortiNAC may allow an unauthenticated attacker to perform some administrative operations over the FortiNAC instance via crafted HTTP POST requests.

Affected Products

FortiNAC version 9.4.0 through 9.4.1

FortiNAC version 9.2.0 through 9.2.6

Solutions

Please upgrade to FortiNAC-F version 7.2.0 or above
Please upgrade to FortiNAC version 9.4.2 or above
Please upgrade to FortiNAC version 9.2.7 or above

Acknowledgement

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.