Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN508
_____________________________________________________________________

DATE                : 13/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): FortiOS versions prior to 6.4.16, 6.2.17,
                     FortiPAM versions 1.2, 1.1, 1.0,
                     FortiProxy versions prior to 7.4.3, 7.2.9, 7.0.16,
                     FortiSwitchManager versions prior to 7.2.4, 7.0.4.

=====================================================================
https://fortiguard.fortinet.com/psirt/FG-IR-24-042
_____________________________________________________________________

Weak authentication - FGFM protocol


Summary

An authentication bypass using an alternate path or channel [CWE-288]
vulnerability in FortiOS, FortiProxy & FortiPAM may allow an
unauthenticated attacker to seize control of a managed device via
crafted FGFM requests, if the device is managed by a FortiManager,
and if the attacker knows that FortiManager's serial number.


Version 	Affected 	Solution

FortiOS 7.6 	Not affected 	Not Applicable
FortiOS 7.4 	Not affected 	Not Applicable
FortiOS 7.2 	Not affected 	Not Applicable
FortiOS 7.0 	Not affected 	Not Applicable
FortiOS 6.4 	6.4.0 through 6.4.15 	Upgrade to 6.4.16 or above
FortiOS 6.2 	6.2.0 through 6.2.16 	Upgrade to 6.2.17 or above
FortiOS 6.0 	6.0 all versions 	Migrate to a fixed release
FortiPAM 1.7 	Not affected 	Not Applicable
FortiPAM 1.6 	Not affected 	Not Applicable
FortiPAM 1.5 	Not affected 	Not Applicable
FortiPAM 1.4 	Not affected 	Not Applicable
FortiPAM 1.3 	Not affected 	Not Applicable
FortiPAM 1.2 	1.2 all versions 	Migrate to a fixed release
FortiPAM 1.1 	1.1 all versions 	Migrate to a fixed release
FortiPAM 1.0 	1.0 all versions 	Migrate to a fixed release
FortiProxy 7.6 	Not affected 	Not Applicable
FortiProxy 7.4 	7.4.0 through 7.4.2 	Upgrade to 7.4.3 or above
FortiProxy 7.2 	7.2.0 through 7.2.8 	Upgrade to 7.2.9 or above
FortiProxy 7.0 	7.0.0 through 7.0.15 	Upgrade to 7.0.16 or above
FortiSwitchManager 7.2 	7.2.0 through 7.2.3 	Upgrade to 7.2.4 or above
FortiSwitchManager 7.0 	7.0.0 through 7.0.3 	Upgrade to 7.0.4 or above

Follow the recommended upgrade path using our tool at:
https://docs.fortinet.com/upgrade-tool


Acknowledgement
Internally discovered and reported by Théo Leleu of Fortinet
Product Security team.


Timeline

2025-08-12: Initial publication



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================