Headline
CVE-2023-40719: Fortiguard
A use of hard-coded credentials vulnerability in Fortinet FortiAnalyzer and FortiManager 7.0.0 - 7.0.8, 7.2.0 - 7.2.3 and 7.4.0 allows an attacker to access Fortinet private testing data via the use of static credentials.
** PSIRT Advisories**
FortiManager & FortiAnalyzer - Use of hardcoded credentials in fmgsvrd
Summary
A use of hard-coded credentials [CWE-798] in FortiManager and FortiAnalyzer may allow an attacker to access Fortinet dummy testing data via the use of static credentials. Those credentials have been revoked.
Version
Affected
Solution
FortiAnalyzer 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiAnalyzer 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiAnalyzer 7.0
7.0 all versions
Migrate to a fixed release
FortiManager 7.4
7.4.0
Upgrade to 7.4.1 or above
FortiManager 7.2
7.2.0 through 7.2.3
Upgrade to 7.2.4 or above
FortiManager 7.0
7.0 all versions
Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
Acknowledgement
Discovered in the frame of internal audit by 3rd party company
Timeline
2023-10-28: Initial publication