Description
This article explains how non-admin users can use the presence of a maintainer account to gain unauthorized access to the Firewall and how to prevent it in FortiGate versions before 7.2.4.
Scope
Versions before 7.2.4.
Solution
Situations may arise where local users in the network have physical access to the firewall even though they are not the admin users. If one of these users has the serial number and console access to the device, the user can reset the admin password and gain access to the firewall.
See the following document for instructions on how to disable the feature:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/907853/disable-the-maint...
Note: Starting with FortiOS 7.2.4, the maintainer account is removed by default.
See the following article to reset a lost admin password:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Resetting-a-lost-Admin-password/ta-p/19704...
