FortiWLC Undocumented Hardcoded core Account Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-16-065 Final 1 1 2016-11-09T00:00:00 Current version 2016-11-09T00:00:00 2016-11-09T00:00:00 FortiWLC comes with a hardcoded account named 'core' which is used by Meru Access Points to send core dumps to the FortiWLC and has read/write privileges over various parts of the system. Unauthorized read/write remote access FortiWLC 7.0-9-1, 7.0-10-0, 8.1-2-0, 8.1-3-2 and 8.2-4-0 Depending on your version, apply the following patches:7.0-9-1:meru-7.0-9-1-patch-bug03932927.0-10-0:meru-7.0-10-0-patch-bug03932928.1-2-0:meru-8.1-2-0-patch-bug03932928.1-3-2:meru-8.1-2-0-patch-bug03932928.2-4-0:meru-8.2-4-0-patch-bug0393292 Fortinet is pleased to thank University of Toronto for reporting this vulnerability under responsible disclosure. CVE-2016-8491 https://fortiguard.fortinet.com/psirt/FG-IR-16-065 FortiWLC Undocumented Hardcoded core Account Reference>