Security News > 2021 > July > Fortinet fixes bug letting unauthenticated hackers run code as root
Fortinet has released updates for its FortiManager and FortiAnalyzer network management solutions to fix a serious vulnerability that could be exploited to execute arbitrary code with the highest privileges.
Both FortiManager and FortiAnalyzer are enterprise-grade network management solutions for environments with up to 100,000 devices.
They are available as a physical appliance, as a virtual machine, in the cloud, or hosted by Fortinet.
Fortinet has published a security advisory for the issue, which is currently tracked as CVE-2021-32589, saying that it is a use-after-free vulnerability in FortiManager and FortiAnalyzer fgfmsd daemon.
Fortinet says that sending a specially crafted request to the "FGFM" port of a target device "May allow a remote, non-authenticated attacker to execute unauthorized code as root."
Credited for finding and responsibly reporting the vulnerability to Fortinet is Cyrille Chatras, a reverse engineer and pentester from Orange group that previously discovered and reported bugs in products from Nokia, Juniper, Red Hat, and in open-source Android [1, 2, 3, 4]. CISA has also published an advisory encouraging users and administrators to review the vulnerability information from Fortinet and apply the updates.