An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
The attacker sends a crafted SAML response message that is not properly verified for cryptographic signature by vulnerable versions of FortiWeb. Since FortiWeb accepts an unsigned or improperly signed SAML response, the attacker can impersonate any user, including an administrator, and gain access to the management panel without knowledge of authentication credentials. The attack requires no privileges or user interaction, and the network vector means it can be conducted remotely.
An unauthenticated attacker can gain full control over the FortiWeb management interface, potentially resulting in configuration disclosure, modification of WAF security rules, and threats to the availability of protected infrastructure.
Apply patches available from the vendor according to the references (https://fortiguard.fortinet.com/psirt/FG-IR-25-647). Until the update is applied, it is recommended to restrict access to the management interface and disable authentication via FortiCloud SSO if not essential.
Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 – 7.6.4, FortiWeb 7.4.0 – 7.4.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFortinet Fortiweb
APPFortinet8.0.07.4.0 – 7.4.97.6.0 – 7.6.4
Related vulnerabilities
Fortinet – Auth Bypass przez FortiCloud SSO w wielu produktach
Path Traversal w Fortinet FortiWeb umożliwiający zdalne wykonanie poleceń
Krytyczna podatność SQL Injection w Fortinet FortiWeb — obejście uwierzytelnienia
Buffer Underflow w interfejsie administracyjnym Fortinet FortiOS / FortiProxy — RCE bez uwierzytelnienia
A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 al...