An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

Affected OS:

  • FortiOS: From 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1
  • FortProxy: From 7.0.0 to 7.0.6 and 7.2.0

Patch the affected products ASAP to not be vulnerable to any potential zero-day exploit.
Fortinet hasn’t published any writeup or info yet, hopefully this won’t be another big exploit like the infamous “Fortifuck”.

For further info refer to:

-JP