PSIRT Advisories

Monthly PSIRT Advisories

The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.  

For details of how to raise a PSIRT Issue with Fortinet, please see our PSIRT Policy here.

An improper neutralization of input vulnerability in the FortiGate may allow a remote attacker to perform a stored cross s...

FortiOS 6.4.0, 6.2.3
Dec 01, 2020 Risk IR Number: FG-IR-20-068 CVE-2020-15937
An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully with...

FortiOS 6.4.0, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0
Jul 13, 2020 Risk IR Number: FG-IR-19-283 CVE-2020-12812
An Improper Input Validation vulnerability in the SSL VPN portal of FortiOS may allow an unauthenticated remote attacker t...

FortiOS 6.2.1, 6.2.0, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.14, 5.6.13, 5.6.12, 5.6.11, 5.6.10, 5.6.1, 5.6.0
Nov 08, 2019 Risk IR Number: FG-IR-19-236 CVE-2019-15705
Multiple Fortinet products may be affected by the following Linux Kernel vulnerability:CVE-2016-10229 Linux Kernel ipv4/ud...

FortiManager 5.4.2 FortiAP 5.6.0, 5.4.2 FortiADC 4.8.0 FortiSandbox 3.0.6, 3.0.5, 3.0.4 FortiAnalyzer 5.4.2 FortiWeb 5.7.3, 5.7.2 Meru Controller 8.4.5, 8.4.4 FortiWAN-Manager 4.3.0 FortiWAN 4.3.1 FortiPortal 5.0.3, 5.0.2, 5.0.1, 5.0.0, 4.2.2, 4.2.1, 4.1.2, 4.1.1, 4.0.4, 4.0.3, 4.0.2, 4.0.1, 4.0.0, 3.2.2, 3.2.1, 3.2.0, 0.4.24, 0.4.23, 0.4.20, 0.4.10 FortiWebManager 6.0.0 FortiCache 4.2.2 FortiDDoS 4.3.2, 4.3.1 FortiOS 5.6.0, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.13, 5.4.12, 5.4.11, 5.4.10, 5.4.1, 5.4.0 FortiAuthenticator 5.0.0 FortiVoiceEnterprise 5.3.6 AscenLink 7.2.19 FortiWLM 8.4.0 FortiWLC 8.4.8, 8.4.7, 8.4.6, 8.4.5, 8.4.4, 8.4.2
Jul 24, 2019 Risk IR Number: FG-IR-17-118 CVE-2016-10229
An external control of system vulnerability in FortiOS may allow an authenticated, regular user to change the routing sett...

FortiOS 6.0.2, 6.0.1, 6.0.0, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.1, 5.6.0, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.10, 5.4.1, 5.4.0, 5.2.9, 5.2.8, 5.2.7, 5.2.6, 5.2.5, 5.2.4, 5.2.3, 5.2.2, 5.2.12, 5.2.11, 5.2.10, 5.2.1, 5.2.0, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.14, 5.0.13, 5.0.12, 5.0.11, 5.0.10, 5.0.1, 5.0.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.2, 4.3.19, 4.3.18, 4.3.17, 4.3.16, 4.3.15, 4.3.14, 4.3.13, 4.3.12, 4.3.11, 4.3.10, 4.3.1, 4.3.0, 4.2.9, 4.2.8, 4.2.7, 4.2.6, 4.2.5, 4.2.4, 4.2.3, 4.2.2, 4.2.16, 4.2.15, 4.2.14, 4.2.13, 4.2.12, 4.2.11, 4.2.10, 4.2.1, 4.2.0, 4.1.9, 4.1.8, 4.1.7, 4.1.6, 4.1.5, 4.1.4, 4.1.3, 4.1.2, 4.1.11, 4.1.10, 4.1.1, 4.0.4, 4.0.3, 4.0.2, 4.0.1, 4.0.0
Apr 04, 2019 Risk IR Number: FG-IR-18-230 CVE-2018-13371
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birt...

FortiCache 4.2.8, 4.1.1, 4.0.4, 4.0.3, 4.0.2, 4.0.1, 4.0.0, 3.1.1, 3.1.0, 3.0.8, 3.0.7, 3.0.6, 3.0.5, 3.0.4, 3.0.3, 3.0.2, 3.0.1, 3.0.0, 2.3.7, 2.3.6, 2.3.5, 2.3.4, 2.3.3, 2.3.2, 2.3.1, 2.3.0, 2.2.4, 2.2.3, 2.2.2, 2.2.1, 2.2.0, 2.1.3, 2.1.2, 2.1.1, 2.1.0, 2.0.1, 2.0.0, 1.0.0, 0.4.10 FortiClientEMS 1.2.1, 1.0.2, 1.0.1, 1.0.0 FortiManager 6.0.2, 5.6.5 FortiAnalyzer 6.0.2, 5.6.5 FortiOS 5.4.1, 5.4.0, 5.2.9, 5.0.14 FortiSwitch 6.0.1, 3.6.7 FortiPortal 5.0.0
Feb 07, 2019 Risk IR Number: FG-IR-17-173 CVE-2016-2183
An uninitialized memory buffer leak exists in FortiOS web proxy's disclaimer response web pages, potentially causing sensi...

FortiOS 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.12, 6.0.11, 6.0.10, 5.6.3, 5.6.2, 5.6.1, 5.4.7, 5.4.6, 5.2.15, 5.2.14, 5.2.13, 5.2.12
Nov 22, 2018 Risk IR Number: FG-IR-18-325 CVE-2018-13376
A collection of AMD vulnerabilities known as "Ryzenfall, Fallout, Chimera, Masterkey" has been released. Attackers in poss...

FortiAnalyzer FortiAP 5.2, 5.6 FortiOS 5.2, 4.2 FortiSwitch
Apr 13, 2018 Risk IR Number: FG-IR-18-046 CVE-2018-8930
An improper following of a certificate's chain of trust vulnerability in FortiGate SSL-VPN may allow an LDAP user to conne...

FortiOS 6.4.4, 6.4.3, 6.4.2
Jun 01, 2021 Risk IR Number: FG-IR-21-018 CVE-2021-24012
When traffic other than HTTP/S (eg: SSH traffic, etc...) traverses the FortiGate on port 80/443, it is not redirected to t...

FortiOS 6.2.4
Jan 21, 2021 Risk IR Number: FG-IR-20-172 CVE-2020-15938
A cleartext storage of sensitive information vulnerability in FortiOS command line interface may allow an authenticated at...

FortiOS 6.2.4, 6.2.3, 6.2.2, 6.2.1, 6.2.0, 6.0.9, 6.0.8, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.11, 6.0.10, 6.0.1, 6.0.0
Oct 19, 2020 Risk IR Number: FG-IR-20-009 CVE-2020-6648
Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiOS, FortiManager and FortiAnal...

FortiAnalyzer 6.0, 6.2 FortiManager 6.0, 6.2 FortiOS 6.0, 6.2
Jun 30, 2020 Risk IR Number: FG-IR-19-007 CVE-2019-6693
An Uncontrolled Resource Consumption vulnerability in multiple products may allow an attacker to cause web service portal ...

FortiAnalyzer 5.6, 6.0, 6.2 FortiAP 6.0, 6.2 FortiManager 5.6, 6.0, 6.2 FortiOS 6.0, 6.2 FortiSwitch 6.0, 6.2
Feb 03, 2020 Risk IR Number: FG-IR-19-013 CVE-2019-17657
A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS...

FortiOS 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.12, 5.4.11, 5.4.10
Nov 26, 2019 Risk IR Number: FG-IR-18-384 CVE-2018-13379
Improper permission or value checking in the CLI console may allow a non-privileged user to obtain plaint text private key...

FortiOS 6.2.1, 6.2.0, 6.0.7, 6.0.6, 6.0.5, 6.0.4, 6.0.3, 6.0.2, 6.0.1, 6.0.0, 5.6.9, 5.6.8, 5.6.7, 5.6.6, 5.6.5, 5.6.4, 5.6.3, 5.6.2, 5.6.10, 5.6.1, 5.6.0, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.13, 5.4.12, 5.4.11, 5.4.10, 5.4.1, 5.4.0
Nov 14, 2019 Risk IR Number: FG-IR-19-134 CVE-2019-5593