FortiMail - Improper use of cryptographic primitives in IBE KeyStore


Missing cryptographic steps in FortiMail IBE may allow an attacker who comes in possession of the encrypted master keys to compromise their confidentiality by observing a few invariant properties of the ciphertext.

Affected Products

FortiMail version 6.4.4 and below.
FortiMail version 6.2.6 and below.


Please upgrade to FortiMail version 7.0.0 or above


Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.