FortiOS - Improper authorization via prof-admin profile


An improper authorization vulnerability [CWE-285] in FortiOS's WEB UI component may allow an authenticated attacker belonging to the prof-admin profile to perform elevated actions.

Version Affected Solution
FortiOS 7.4 Not affected Not Applicable
FortiOS 7.2 7.2.0 through 7.2.4 Upgrade to 7.2.5 or above
FortiOS 7.0 7.0.0 through 7.0.11 Upgrade to 7.0.12 or above
Follow the recommended upgrade path using our tool at:


Internally discovered and reported by Fortinet QA team.


2023-09-15: Initial publication