Fortinet plugs RCE hole in FortiManager and FortiAnalyzer (CVE-2021-32589)

A vulnerability (CVE-2021-32589) in FortiManager and FortiAnalyzer could be exploited by remote, non-authenticated attackers to execute unauthorized / malicious code as root, Fortinet has warned.


The vulnerability affects the solutions’ fgfmsd daemon, and could be triggered by senging a specially crafted request to the fgfm port of a vulnerable device.

Fortinet has provided security updates to fix the flaw, as well as workarounds if updating is impossible.

About FortiManager and FortiAnalyzer

FortiManager is an operations tool that provides organizations with centralized management of their Fortinet devices and is used to – among other things – “control the deployment of security policies, FortiGuard content security updates, firmware revisions, and individual configurations for thousands of FortiOS-enabled devices.”

FortiAnalyzer is a security analysis tool that allows NOC and SOC analysts insight into security threats and required mitigation / remediation actions.

About CVE-2021-32589

Discovered by Cyrille Chatras of Orange Group, CVE-2021-32589 is a use-after-free vulnerability that could lead to a program crash.

No additional details have been shared by the company at this time. Despite potentially allowing remote code execution, the vulnerability has received an overall CVSS score of 7.7, partly because the complexity of attacks aimed at exploiting is deemed to be high.

There is no indication this flaw is being actively exploited in the wild. Still, attackers have been known to exploit flaws in various Fortinet solutions in the past.

Enterprise admins are therefore advised to peruse the security advisory and check whether they need to update any devices.

As Fortinet notes, FGFM is disabled by default on FortiAnalyzer and can only be enabled on specific hardware models. A simple workaround (for FortiAnalyzer units) pointed out by the company consists of disabling FortiManager features.

Don't miss