Fortinet FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb Improper Restriction of Communication Channels Vulnerability Allowing Man-in-the-Middle Impersonation

A vulnerability allowing improper restriction of communication channels to intended endpoints has been identified in multiple Fortinet products. This vulnerability affects Fortinet FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, and versions prior to 6.2.16. Fortinet FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and prior to 7.0.15, as well as Fortinet FortiManager, FortiAnalyzer, Fortinet FortiVoice versions 7.0.0 through 7.0.2 prior to 6.4.8, and Fortinet FortiWeb versions prior to 7.4.2 are also affected. This vulnerability may allow an unauthenticated attacker in a man-in-the-middle position to intercept FGFM authentication requests, impersonating the management device, such as FortiCloud server or FortiManager, under certain conditions.

Impact

Exploitation of this vulnerability could lead to unauthorized impersonation of a management device, potentially allowing an attacker to intercept and manipulate communications between management and managed devices.