Format String Vulnerability in FortiAnalyzer and FortiManager fazsvcd Daemon Allows Remote Code Execution
Fortinet disclosed a format string vulnerability in the fazsvcd daemon affecting FortiAnalyzer and FortiManager, allowing remote privileged attackers to execute arbitrary code.
Fortinet has disclosed a format string vulnerability (CWE-134) in the fazsvcd daemon affecting multiple versions of FortiAnalyzer, FortiAnalyzer Cloud, FortiManager, and FortiManager Cloud. Tracked as FG-IR-26-092 with a CVSS score of 6.5, the flaw allows a remote attacker with an admin profile to execute arbitrary code or commands via specially crafted requests. No CVE-ID was assigned in the advisory, but the vendor has released patches for all affected versions.
The vulnerability resides in the fazsvcd daemon, a core component of Fortinet's centralized management and logging platforms. The issue is a use of externally-controlled format string, which occurs when user-supplied input is used as a format string parameter in functions like printf(). An attacker with admin-level access can craft requests that exploit this flaw to write arbitrary data to memory, potentially leading to code execution.
Affected products include FortiAnalyzer 7.6.0 through 7.6.4, 7.4.0 through 7.4.7, and all versions of 7.2 and 7.0; FortiAnalyzer Cloud similarly affected; FortiManager 7.6.0 through 7.6.4, 7.4.0 through 7.4.7, and all versions of 7.2 and 7.0; and FortiManager Cloud in the same version ranges. The vulnerability requires an authenticated admin profile, limiting the attack surface to privileged users, but the potential for arbitrary code execution makes it a serious concern for organizations using these platforms.
Fortinet has provided specific upgrade paths: FortiAnalyzer and FortiManager 7.6 users should upgrade to 7.6.5 or above; 7.4 users to 7.4.8 or above; and users on 7.2 or 7.0 must migrate to a fixed release. FortiAnalyzer Cloud and FortiManager Cloud follow the same version requirements. The vulnerability was internally discovered and reported by David Maciejak of the Fortinet Product Security team.
No evidence of active exploitation has been reported at the time of disclosure, but administrators are urged to apply patches immediately given the severity of the flaw. Format string vulnerabilities, while less common than buffer overflows, can be equally dangerous when exploited, allowing attackers to read or write arbitrary memory locations.
This disclosure adds to a series of recent Fortinet advisories, including a critical out-of-bounds write vulnerability in FortiOS CAPWAP daemon and SQL injection flaws in FortiMail and FortiNDR. The company continues to emphasize the importance of timely patching for its enterprise security products, which are widely deployed in government and corporate networks.
Organizations running affected versions should prioritize upgrading to the fixed releases listed in the advisory. As with all format string vulnerabilities, proper input validation and secure coding practices are essential to prevent similar issues in the future.