With regard to the firmware upgrade done by user "fortigate-tech-support", since the upgrade is not done

by you or by Fortinet, we recommend you clean up the device by following below recommendations.

1. It is recommended that a clean installation be performed on all compromised FortiOS devices.

• Upgrade/Install the FortiGate/FortiProxy to its latest firmware version 7.0.7 or v7.2.2 which contains the
fix for this vulnerability.

• Download the firmware from Fortinet Support site and validate the file hash using SHA512
• Format the devices flash and disks to perform a clean install. The procedure to perform clean install on
FortiGate is explained in the article below.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Loading-FortiGate-firmware-imageusing-
TFTP/ta-p/197600

2. IMMEDIATELY remove the “fortigate-tech-support” admin account or any other admin accounts which
are not created by you, which is most
likely created by an attacker. After deletion, verify if there are any unauthorized FortiGate admin accounts
in the configuration.

3. Fortinet does not recommend using the existing configuration. Restore the configuration from a known
good backup or create a clean configuration validating
the content in the configuration file.

4. Change GUI/CLI administrative access to non-default TCP ports (instead of 22, 80, 443).

5. Restrict FortiGate/FortiProxy GUI/CLI access to only trusted hosts. Refer to;

https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/582009/systemadministrator-
best-practices
OR
Disable HTTP/HTTPS administrative access on Internet facing interfaces. Perform administrative
tasks over an out-of-band network.
OR
Limit IP addresses that can reach the administrative interface using local-in-policies. Refer to
https://www.fortiguard.com/psirt/FG-IR-22-377

6. Reset all admin and local firewall user’s passwords.

7. Change the LDAP user credentials used for FortiGate/FortiProxy LDAP authentication with Active
Directory.

8. Reset RADIUS secrets and IPSEC Pre-Shared Keys.

9. Assuming configuration of the device is exposed, replace LOCAL certificates and revoke the potentially
stolen certificates.

10. Additionally, Implement two-factor authentication for admin users.

11. Review and Implement other applicable recommendations from the FortiOS hardening guide:
https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/