An improper access control vulnerability in Fortinet FortiAuthenticator appliances affects versions 8.0.2, 8.0.0, 6.6.0 through 6.6.8, and 6.5.0 through 6.5.6. By sending crafted requests, an attacker can execute unauthorized code or commands. This flaw allows remote code execution with the privileges of the management service, compromising confidentiality, integrity, and availability. The weakness is classified as CWE‑284.

Systems running FortiAuthenticator 8.0.0, 8.0.2, 6.6.0‑6.6.8, 6.5.0‑6.5.6, as well as earlier 6.4.x and earlier minor releases, are impacted. The vendor recommends upgrading to FortiAuthenticator 8.0.3 or higher, or to version 6.6.9, 6.5.7, 6.4.11, or 6.3.5, depending on the product line.

The CVSS score of 9.1 indicates high severity, while the EPSS score of less than 1% indicates a very low but nonzero likelihood of exploitation. This vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker requires network access to the FortiAuthenticator appliance and can exploit unauthenticated or low‑privileged API calls or web interface endpoints. Successful exploitation would grant the attacker full control of the appliance, enabling lateral movement or compromise of connected devices.