Critical password reset vulnerability in Fortinet FortiPortal. Update immediately

Cybersecurity specialists report the detection of a critical vulnerability in FortiPortal, the self-service portal for FortiManager and hosted security analysis management system for some of the most popular Fortinet product families. According to the report, successful exploitation of this flaw could result in a critical hacking scenario.

Tracked as CVE-2021-36171, the vulnerability exists due to a weak pseudorandom number generator in the password reset feature, which remote threat actors could take advantage of to guess parts of a newly generated password, or the entire password in the time frame determined by the affected application.

This is a highly severe vulnerability and its successful exploitation would allow attackers to gain full access to the vulnerable system. This flaw received a score of 7.1/10 according to the Common Vulnerability Scoring System (CVSS).

According to the report, the flaws reside in all versions of Fortinet FortiPortal between v5.2.0 and v6.0.5.

So far no active exploitation attempts have been detected related to this report, however, Fortinet recommends that users of vulnerable versions of FortiPortal apply the necessary updates to mitigate the risk of exploitation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.