PSIRT

CVE-2017-7336 WLM hardcoded account named upgrade

Summary

FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller. Having the upgrade account credentials would allow an attacker to transfer files to any attached or previously attached controllers as an admin user, thus raising potential further security issues.

Affected Products

FortiWLM version 8.3.0 and lower.

Solutions

Upgrade to FortiWLM version 8.3.1

Acknowledgement

Fortinet is pleased to thank Adam Piekarzewski, University of Toronto for reporting this vulnerability under responsible disclosure.

IR Number	FG-IR-17-115
Published Date	Jun 30, 2017
Severity	Critical
CVSSv3 Score	0
Impact	Improper access control
CVE ID	CVE-2017-7336
CVRF	Download

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

PSIRT

CVE-2017-7336 WLM hardcoded account named upgrade

Summary

Affected Products

Solutions

Acknowledgement

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

PSIRT

CVE-2017-7336 WLM hardcoded account named upgrade

Summary

Affected Products

Solutions

Acknowledgement

Threat Intelligence
Center