Improper access control in backup and restore features
Summary
An improper access control vulnerability [`CWE-284]` in FortiWLM MEA for FortiManager may allow an unauthenticated remote attacker to execute arbitrary code or commands via specifically crafted requests.
Note that FortiWLM MEA is not installed by default on FortiManager and can be disabled as a workaround.
Affected Products
FortiManager version 7.4.0
FortiManager version 7.2.0 through 7.2.3
FortiManager version 7.0.0 through 7.0.10
FortiManager version 6.4.0 through 6.4.13
FortiManager 6.2 all versions
Solutions
Please upgrade to FortiManager version 7.4.1 or above
Please upgrade to FortiManager version 7.2.4 or above
Please upgrade to FortiManager version 7.0.11 or above
Please upgrade to FortiManager version 6.4.14 or above
Acknowledgement
Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.Timeline
2024-02-22: Initial publication