FortiRecorder sets hardcoded admin password on all FortiCameras Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-19-185 Final 1 1 2019-08-12T00:00:00 Current version 2019-08-12T00:00:00 2019-08-12T00:00:00 An Use of Hard-coded Credentials vulnerability in FortiRecorder may allow an unauthenticated attacker with knowledge of the aforementioned credentials and network access to FortiCameras to take control of those, provided they are managed by a FortiRecorder device. Escalation of privilege FortiRecorder all versions below 2.7.4 Upgrade to FortiRecorder 2.7.4Workarounds:Deploy FortiCameras on a private and closed network dedicated to the connection to FortiRecorder.Alternatively, use a Firewall or FortiCamera built-in access control to only allow trusted hosts to access FortiCamera.Refer to the "Hardening security" section in your FortiRecorder's admin guide for guidance. https://fortiguard.fortinet.com/psirt/FG-IR-19-185 FortiRecorder sets hardcoded admin password on all FortiCameras https://xor.cat/2019/08/05/fortinet-fortirecorder-hardcoded-password/ https://xor.cat/2019/08/05/fortinet-fortirecorder-hardcoded-password/ Fortinet is pleased to thank security researcher Aaron Blair for reporting this vulnerability under responsible disclosure and FortiGuard Lion Team for the help of addressing this issue. CVE-2019-6698 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-19-185 FortiRecorder sets hardcoded admin password on all FortiCameras Reference> https://xor.cat/2019/08/05/fortinet-fortirecorder-hardcoded-password/ https://xor.cat/2019/08/05/fortinet-fortirecorder-hardcoded-password/