PSIRT Advisory

Fortinet Connect admin able to gain root access

Summary

A webui administrator may create a new theme that performs arbitrary code execution on the system.

Impact

Privilege escalation

Affected Products

Fortinet Connect 14.2, 14.10, 15.10 and 16.7

Solutions

A patch is available for the following Fortinet Connect versions:
* 16.7.0.1
* 15.10.0.3
* 14.10.0.5
* 14.2.0.12
Please contact Fortinet TAC support to have access to the patches.

Acknowledgement

Fortinet is pleased to thank Spencer Lowe for reporting this vulnerability under responsible disclosure.