CVE-2021-44166

Name of the Vulnerable Software and Affected Versions FortiToken Mobile (Android) versions 5.1.0 and below

Description An improper access control issue may allow a remote attacker, who has already obtained a user's password, to access the protected system during the 2FA procedure, even if the deny button is clicked by the legitimate user. This occurs in the external push notification feature.

Recommendations For versions 5.1.0 and below, update to a version above 5.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the external push notification feature until a patch is available.