Fortinet has released updates for its FortiManager and FortiAnalyzer network management solutions to address a critical vulnerability (CVE-2021-32589). Exploitation of the issue allows to execute arbitrary code with the highest privileges.

FortiManager and FortiAnalyzer are enterprise-grade network management solutions for environments with up to 100,000 devices. Organizations can use the products to manage the deployment and configuration of devices on the network as well as to collect and analyze the generated logs to identify and eliminate threats.

Use-after-free (UAF) vulnerability of FortiManager and FortiAnalyzer in the fgfmsd daemon is related to the use of an incorrectly marked memory section as free by programs. Sending a specially crafted request to the FGFM port of device could allow a remote, non-authenticated attacker to execute unauthorized code as root.

More information on vulnerability and updates is available in Fortinet security advisory – FG-IR-21-067.

Source: securitylab.ru