Lack of certificate verification when establishing secure connections to external end-points

Summary

An improper certificate validation vulnerability [CWE-295] in FortiOS may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the FortiGate and some peers such as private SDNs and external cloud platforms.

Affected Products

FortiOS version 6.0.0 through 6.0.14
FortiOS version 6.2.0 through 6.2.10
FortiOS version 6.4.0 through 6.4.8
FortiOS version 7.0.0

Solutions

Please upgrade to FortiOS version 7.0.1 or above.
Please upgrade to FortiOS version 6.4.9 or above.

Timeline

2022-05-03: Initial publication