Mandatory password and OTP" setting not enforcing OTP on unimported remote users

Mandatory password and OTP" setting not enforcing OTP on unimported remote users Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-212 Final 1 1 2021-12-07T00:00:00 Current version 2021-12-07T00:00:00 2021-12-07T00:00:00 An incorrect implementation of authentication algorithm vulnerability [CWE-303] in FortiAuthenticator may allow an user whose LDAP account is unimported to bypass the second factor of authentication via a RADIUS login portal. Improper access control Fortinet is pleased to thank Gerard Gerritsen from Municipality of Ede for reporting this vulnerability under responsible disclosure. FortiAuthenticator 6.4.0 Mandatory password and OTP" setting not enforcing OTP on unimported remote users CVE-2021-43068 FortiAuthenticator-6.4.0 5.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-21-212 Mandatory password and OTP" setting not enforcing OTP on unimported remote users Reference>