PSIRT Advisories

Monthly PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

The FortiOS webui accepts a user-controlled input that specifies a link to an external site, and uses that link in a redir...

Mar 16, 2016 Risk IR Number: FG-IR-16-004
It is possible to inject malicious script through the DHCP HOSTNAME option. The malicious script code is injected into th...

Mar 16, 2016 Risk IR Number: FG-IR-16-003 CVE-2015-3626
Researchers discovered that certain next generation firewalls are designed to permit full TCP handshake with any destinati...

Dec 15, 2015 Risk IR Number: FG-IR-15-024
OpenSSL released an update in December 2015 to address a small number of vulnerability issues.

Dec 10, 2015 Risk IR Number: FG-IR-15-023 CVE-2015-3193
FortiClient drivers expose IOCTL that may allow an unprivileged user to get system-level privileges.

Sep 01, 2015 Risk IR Number: FG-IR-15-025 CVE-2015-4077
When connecting to a FortiGuard server via TLS, FortiOS 5.2.3/5.0.11 and below is supporting multiple weak ciphers includi...

Jul 24, 2015 Risk IR Number: FG-IR-15-021 CVE-2015-2323
OpenSSL released a security advisory in June 2015 to announce multiple security vulnerabilities.

Jun 11, 2015 Risk IR Number: FG-IR-15-014 CVE-2014-8176
Researchers (from the same group of people who discovered the FREAK Vulnerability in SSL/TLS) have published a paper demon...

May 20, 2015 Risk IR Number: FG-IR-15-013 CVE-2015-4000
Older versions of FortiWeb are subject to three vulnerabilities: 1. OS command injection: A WebUI administrator user may ...

Apr 16, 2015 Risk IR Number: FG-IR-15-010
Certain versions of FortiManager are subject to the following vulnerabilities: 1. Escalation of Privileges: under certain...

Apr 16, 2015 Risk IR Number: FG-IR-15-011 CVE-2015-3611
FortiMail's "diag debug application httpd" set of commands can be used to capture the credentials entered in the admin Web...

Apr 10, 2015 Risk IR Number: FG-IR-15-009 CVE-2015-3293
OpenSSL released a security advisory in March 2015 to announce multiple security vulnerabilities.

Mar 24, 2015 Risk IR Number: FG-IR-15-008 CVE-2015-0291
FREAK is an attack on SSL/TLS, which allows "Man in the Middle" attackers to decipher and alter HTTPS connections between ...

Mar 04, 2015 Risk IR Number: FG-IR-15-007 CVE-2015-0204
FortiClient Android and iOS are affected by two vulnerabilities: Android and iOS FortiClient do not check the validity of...

Feb 25, 2015 Risk IR Number: FG-IR-15-004 CVE-2015-1453
The Web User Interface of FortiGate, FortiManager, FortiAnalyzer, FortiMail and FortiADC D models are vulnerable to reflec...

Feb 25, 2015 Risk IR Number: FG-IR-15-005 CVE-2014-8616