Weak authentication mechanism on device registration page


A weak authentication vulnerability [CWE-1390] in FortiNAC device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increased chance of success.

Affected Products

At least
FortiNAC-F version 7.2.0
FortiNAC version 9.4.0 through 9.4.2
FortiNAC 9.2 all versions
FortiNAC 9.1 all versions
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions


Please upgrade to FortiNAC version 9.4.3 or above
Please upgrade to FortiNAC-F version 7.2.1 or above


Fortinet is pleased to thank KPN for bringing this issue to our attention under responsible disclosure.


2023-04-13: Initial publication