PSIRTTACACS+ authentication bypass
Summary
A missing authentication for critical function vulnerability [CWE-306] in FortiOS, FortiProxy, and FortiSwitchManager TACACS+ configured to use a remote TACACS+ server for authentication, that has itself been configured to use ASCII authentication may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass.
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiOS 7.4 | 7.4.4 through 7.4.6 | Upgrade to 7.4.7 or above |
| FortiOS 7.2 | Not affected | Not Applicable |
| FortiOS 7.0 | Not affected | Not Applicable |
| FortiOS 6.4 | Not affected | Not Applicable |
| FortiProxy 7.6 | 7.6.0 through 7.6.1 | Upgrade to 7.6.2 or above |
| FortiProxy 7.4 | Not affected | Not Applicable |
| FortiProxy 7.2 | Not affected | Not Applicable |
| FortiProxy 7.0 | Not affected | Not Applicable |
| FortiProxy 2.0 | Not affected | Not Applicable |
| FortiSwitchManager 7.2 | 7.2.5 | Upgrade to 7.2.6 or above |
| FortiSwitchManager 7.0 | Not affected | Not Applicable |
This vulnerability is limited to configurations where ASCII authentication is used. PAP, MSCHAP, and CHAP configurations are not impacted.
Workaround
Use an alternate authentication method:
config user tacacs+
edit "TACACS-SERVER"
set server <IP address>
set key <string>
set authen-type [pap, mschap, chap]
set source-ip <IP address>
next
end
OR
config user tacacs+
edit "TACACS-SERVER"
set server <IP address>
set key <string>
unset authen-type
set source-ip <IP address>
next
end
By default (set authen-type auto), ASCII authentication will not be used.
Acknowledgement
Fortinet is pleased to thank Cam B from Vital and NBS Telecom's Matheus Maia for reporting this vulnerability under responsible disclosure.Timeline
2025-05-13: Initial publication2025-05-28: clarifying that authen-type auto is NOT impacted as ASCII is not used