FortiAuthenticator - Improper access control in HA service


An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database.

Affected Products

FortiAuthenticator 6.3.2 and below.
FortiAuthenticator 6.2.x.
FortiAuthenticator 6.1.x.
FortiAuthenticator 6.0.x.


Please upgrade to FortiAuthenticator 6.4.0 or above.

Please upgrade to FortiAuthenticator 6.3.3 or above.


Fortinet is pleased to thank Steven Shockley for reporting this issue under responsible disclosure.