Security News > 2021 > July > Fortinet Patches Remote Code Execution Vulnerability in FortiManager, FortiAnalyzer
Fortinet on Monday announced the availability of patches for a vulnerability in both FortiManager and FortiAnalyzer that could allow an attacker to execute code with root privileges.
While FortiManager delivers full administration capabilities, FortiAnalyzer provides log management, analytics and reporting capabilities.
Tracked as CVE-2021-32589, the newly addressed vulnerability is a use-after-free bug that affects the fgfmsd daemon in FortiManager and FortiAnalyzer.
Users can enable it on specific hardware models, including 1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, and 3900E. Customers are advised to update to FortiManager and FortiAnalyzer versions 5.6.11, 6.0.11, 6.2.8, 6.4.6, and 7.0.1 or later, which include patches for the flaw.
As a workaround, administrators can disable the FortiManager features on the FortiAnalyzer unit, Fortinet says.
"The security of our customers is our first priority. We have issued a patch and mitigations and we are proactively communicating to customers, strongly urging them to immediately update their FortiManager and FortiAnalyzer products. Additionally, we recommend that customers validate their configuration to ensure that no unauthorized changes had been implemented by a malicious third party," Fortinet told SecurityWeek.