Mandatory password and OTP" setting not enforcing OTP on unimported remote users


An incorrect implementation of authentication algorithm vulnerability [CWE-303] in FortiAuthenticator may allow an user whose LDAP account is unimported to bypass the second factor of authentication via a RADIUS login portal.

Version Affected Solution
FortiAuthenticator 6.4 6.4.0 Upgrade to 6.4.1 or above


Fortinet is pleased to thank Gerard Gerritsen from Municipality of Ede for reporting this vulnerability under responsible disclosure.