PSIRT Advisory

FortiWLM upgrade user account hard-coded credentials

Summary

FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller. Having the upgrade account credentials would allow an attacker to transfer files to any attached or previously attached controllers as an admin user, thus raising potential further security issues.

Impact

Hardcoded credentials

Affected Products

FortiWLM version 8.3.0 and lower.

Solutions

Upgrade to FortiWLM version 8.3.1

Acknowledgement

Fortinet is pleased to thank Adam Piekarzewski, University of Toronto for reporting this vulnerability under responsible disclosure.