PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

A remote attacker may access the internal ZebOS shell of FortiOS 5.2.3 without authentication on the HA ("High Availability")...

Jul 24, 2015 Risk IR Number: FG-IR-15-020
When connecting to a FortiGuard server via TLS, FortiOS 5.2.3/5.0.11 and below is supporting multiple weak ciphers including anonymous,...

Jul 24, 2015 Risk IR Number: FG-IR-15-021
The SSL-VPN feature of FortiOS 4.3.12 and lower only checks the first byte of the TLS MAC in the finished message. An attacker...

Jul 15, 2015 Risk IR Number: FG-IR-15-016
OpenSSL released a security advisory in July 2015 to announce a high severity vulnerability affecting any application that verifies...

Jul 09, 2015 Risk IR Number: FG-IR-15-015
OpenSSL released a security advisory in June 2015 to announce multiple security vulnerabilities.

Jun 11, 2015 Risk IR Number: FG-IR-15-014
Researchers (from the same group of people who discovered the FREAK Vulnerability in SSL/TLS) have published a paper demonstrating...

May 20, 2015 Risk IR Number: FG-IR-15-013
The VENOM (Virtualized Environment Neglected Operations Manipulation) vulnerability impacts popular virtualization platforms,...

May 19, 2015 Risk IR Number: FG-IR-15-012
Older versions of FortiWeb are subject to three vulnerabilities: 1. OS command injection: A WebUI administrator user may run...

Apr 16, 2015 Risk IR Number: FG-IR-15-010
Certain versions of FortiManager are subject to the following vulnerabilities: 1. Escalation of Privileges: under certain circumstances,...

Apr 16, 2015 Risk IR Number: FG-IR-15-011
FortiMail's "diag debug application httpd" set of commands can be used to capture the credentials entered in the admin WebGui...

Apr 10, 2015 Risk IR Number: FG-IR-15-009
OpenSSL released a security advisory in March 2015 to announce multiple security vulnerabilities.

Mar 24, 2015 Risk IR Number: FG-IR-15-008
FREAK is an attack on SSL/TLS, which allows "Man in the Middle" attackers to decipher and alter HTTPS connections between a server...

Mar 04, 2015 Risk IR Number: FG-IR-15-007
Prior to build 237, the Windows version of FSSO can be remotely exploited to run arbitrary code over the TCP/8000 port without...

Feb 27, 2015 Risk IR Number: FG-IR-15-006
FortiClient Android and iOS are affected by two vulnerabilities: Android and iOS FortiClient do not check the validity of server...

Feb 25, 2015 Risk IR Number: FG-IR-15-004
The Web User Interface of FortiGate, FortiManager, FortiAnalyzer, FortiMail and FortiADC D models are vulnerable to reflected...

Feb 25, 2015 Risk IR Number: FG-IR-15-005