REST API trusted host bypass


An improper access control vulnerability [CWE-284] in the FortiOS REST API component may allow an authenticated attacker to access a restricted resource from a non trusted host.

Version Affected Solution
FortiOS 7.4 Not affected Not Applicable
FortiOS 7.2 7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
Follow the recommended upgrade path using our tool at:


Internally discovered and reported by Justin Lum from FortiOS development team.


2023-10-10: Initial publication