Improper Access Control in FortiToken Mobile by Fortinet
CVE-2021-44166

4.1MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortinet Fortitokenandroid
Vendor: CVE Published:; 2 March 2022

What is CVE-2021-44166?

An improper access control vulnerability exists in FortiToken Mobile (Android), specifically affecting versions 5.1.0 and below. This issue allows a remote attacker, who has already acquired a user's password, to circumvent the 2FA process. Even if the legitimate user clicks the deny button during the authentication attempt, their protected system can still be accessed. This highlights significant risks associated with inadequate security measures in authentication workflows.

Affected Version(s)

Fortinet FortiTokenAndroid FortiTokenAndroid 5.1.0 and below

References

https://fortiguard.com/psirt/FG-IR-21-210

x_refsource_CONFIRM

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 2, 2022
Vulnerability Reserved
Nov 23, 2021

CVE-2021-44166 Data

JSON