CVE-2023-36554: 
Fortinet FortiManager vulnerability analysis and mitigation

A critical improper access control vulnerability (CVE-2023-36554) was discovered in Fortinet FortiManager's FortiWLM MEA component. The vulnerability affects multiple versions including FortiManager 7.4.0, versions 7.2.0 through 7.2.3, versions 7.0.0 through 7.0.10, versions 6.4.0 through 6.4.13, and all versions of 6.2. The issue was internally discovered by Gwendal Guégniaud of Fortinet Product Security team and was publicly disclosed on March 12, 2024 (Fortinet Advisory).

The vulnerability is classified as an improper access control issue (CWE-284) that exists in the FortiWLM MEA component of FortiManager. The vulnerability received a CVSS v3.1 base score of 9.8 (Critical) from NVD and 8.1 (High) from Fortinet. The vulnerability allows an unauthenticated remote attacker to execute unauthorized code or commands through specially crafted HTTP requests. It's important to note that FortiWLM MEA is not installed by default on FortiManager (NVD, Fortinet Advisory).

If exploited, this vulnerability allows attackers to execute unauthorized code or commands on affected FortiManager systems. Given the critical CVSS score and the authentication bypass nature of the vulnerability, successful exploitation could lead to complete system compromise (NVD).

Fortinet has released patches for all affected versions. Users are advised to upgrade to the following versions: FortiManager 7.4.1 or above for 7.4.x, 7.2.4 or above for 7.2.x, 7.0.11 or above for 7.0.x, and 6.4.14 or above for 6.4.x. Users of version 6.2 should migrate to a fixed release. As a temporary workaround, since FortiWLM MEA is not installed by default, administrators can disable this component if immediate patching is not possible (Fortinet Advisory).