Multiple products - Lack of certificate verification when establishing secure connections


An improper certificate validation vulnerability [CWE-295] in FortiOS, FortiAnalyzer, FortiManager, and FortiSandbox may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.

Affected Products

FortiManager version 7.0.1 and below.
FortiManager version 6.4.6 and below.
FortiAnalyzer version 7.0.2 and below.
FortiAnalyzer version 6.4.7 and below.
FortiSandbox versions 4.0.x.
FortiSandbox versions 3.2.x.
FortiSandbox versions 3.1.5 and below.


Please upgrade to FortiManager version 7.0.2 or above.
Please upgrade to FortiManager version 6.4.7 or above.
Please upgrade to FortiAnalyzer version 7.0.3 or above.
Please upgrade to FortiAnalyzer version 6.4.8 or above.
Please upgrade to FortiSandbox version 4.2.0 or above