Fortilink lack of certificate validation


An improper certificate validation vulnerability [CWE-295] in FortiOS may allow an unauthenticated attacker in a Man-in-the-Middle position to decipher and alter the FortiLink communication channel between the FortiOS device and a FortiSwitch instance.

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at:


Fortinet is pleased to thank Christian Hilgers from Indevis for reporting this vulnerability under responsible disclosure.


2024-02-08: Initial publication