FortiManager --- Password observed in cleartext in the config conflict file


An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiManager may allow a low privileged authenticated user to gain access to the FortiGate users credentials via the config conflict file.

Affected Products

FortiManager version 7.0.0 through 7.0.2
FortiManager version 6.4.0 through 6.4.7
FortiManager version 6.2.0 through 6.2.9


Please upgrade to FortiManager verison 7.0.3 or above.

Please upgrade to FortiManager version 6.4.8 or above.


Fortinet is pleased to thank Aymen Idriss from Topnet for reporting this vulnerability under responsible disclosure.