There seems to be a vulnerarbility in some FortiMail versions, that allow an unauthenticated remote attacker to access the system by requesting a password change. Please refer to the FortiGuard PSIRT article.
The problem here is not only the unauthorized access to the system, but also the change of the password of all configured administrative accounts. Also, the maintainer functionality to reset the administrator password over a serial console of the FortiMail is being disabled from the attacker.
Unfortunately we do not have further information about this vulnerability, but we assume that there already has been some successful attacks based on this vulnerarbility.
Therefore please make sure, that you are updating your FortiMail to one of the following patch levels if not already done:
- 5.4.11 or above
- 6.0.8 or above
- (FortiMail versions 5.3 and lower are not impacted by this vulnerability)
Update: Fortinet has released a KB article with further information. It seems that the vulnerability can be exploited, if the admin web access is enabled on public facing networks. The Webmail user interface cannot be used for this exploit.
If you have been running an exploitable version, please take some time for some security measurements:
- make sure that there is no unknown admin user on your Fortimail
- delete all admin user that are not needed anymore
- consider changing passwords for all admin accounts
- if possible configure trusted hosts
- doublecheck the bcc configuration in your AntiSpam profiles
- doublecheck the email addresses in any notify and action profiles and the report settings
- make sure that no additional archive accounts have been created and doublecheck the existing ones