Improper access control in backup and restore features

Summary

An improper access control vulnerability [`CWE-284]` in FortiWLM MEA for FortiManager may allow an unauthenticated remote attacker to execute arbitrary code or commands via specifically crafted requests.


Note that FortiWLM MEA is not installed by default on FortiManager and can be disabled as a workaround.

Affected Products

FortiManager version 7.4.0
FortiManager version 7.2.0 through 7.2.3
FortiManager version 7.0.0 through 7.0.10
FortiManager version 6.4.0 through 6.4.13
FortiManager 6.2 all versions

Solutions

Please upgrade to FortiManager version 7.4.1 or above
Please upgrade to FortiManager version 7.2.4 or above
Please upgrade to FortiManager version 7.0.11 or above
Please upgrade to FortiManager version 6.4.14 or above

Acknowledgement

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

Timeline

2024-02-22: Initial publication