RIOT Solutions

Vulnerabilities Found

20 June 2019
Published by Rob Merkwitza

, Managing Director

Vulnerabilities Found

Fortinet FortiCam FCM-MB40 – Multiple Vulnerabilities


In March of 2019 Aaron Blair (Cyber Security Analyst, RIOT Solutions) discovered five vulnerabilities in Fortinet’s FortiCam FCM-MB40 product.

Part-way through disclosing this vulnerability, He discovered that the FCM-MB40 is manufactured by a company called Dynacolor Inc, which calls the product “Q2-H”.

The FortiCam FCM-MB40 software version which he found these vulnerabilities in was the latest version at the time (and at the time of posting this, still is), v1.2.0.0.

Since discovering these vulnerabilities he has been unable to get his hands on a Q2-H which is not branded as Fortinet. As such, he is unable to confirm whether the below vulnerabilities also apply directly to the Q2-H device. In saying that, he is reasonably confident that the majority of the vulnerabilities also affect the Q2-H.

As of the date of publication (2019-06-19), no fix for these issues has been released or announced by Fortinet or Dynacolor.

All five of these vulnerabilities are currently pending CVE assignment, and this page will be updated when they have been assigned.

The first (1), CVE-TBA-1, is an unsanitised input vulnerability in the FortiCam’s admin web interface, resulting in remote command execution asroot, when authenticated as an administrative user.

The second (2), CVE-TBA-2, is a cross-site request forgery (CSRF) vulnerability which allows an attacker to fool a browser logged in as the “admin” user into forging requests which can reconfigure the FortiCam in any way that the “admin” user is able to from the web interface.

The third (3), CVE-TBA-3, is a hardcoded SSL/TLS encryption key vulnerability.

The fourth (4), CVE-TBA-4, refers to the insecure (cleartext) storage of administrative password credentials on the device.

The fifth (5), CVE-TBA-5, is a vulnerability whereby the device’s “factory reset” function does not sufficiently reset the device.

More information and detail on the five vulnerabilities can be found in Aarons Blog at