Authentication bypass and remote code execution as root Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-077 Final 1 1 2021-08-03T00:00:00 Current version 2021-08-03T00:00:00 2021-08-03T00:00:00 A use of hard-coded credentials (CWE-798) vulnerability in FortiPortal may allow a remote and unauthenticated attacker to execute unauthorized commands as root by uploading and deploying malicious web application archive files using the default hard-coded Tomcat Manager username and password. Execute unauthorized code or commands FortiPortal versions 5.2.5 and below. FortiPortal versions 5.3.5 and below.FortiPortal versions 6.0.4 and below. FortiPortal 5.0.x FortiPortal 5.1.x Please upgrade to FortiPortal version 5.2.6 or above. Please upgrade to FortiPortal version 5.3.6 or above.Please upgrade to FortiPortal version 6.0.5 or above. Fortinet is pleased to thank Ben Knight, CyberCX New Zealand for bringing this issue to our attention under responsible disclosure. CVE-2021-32588 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-21-077 Authentication bypass and remote code execution as root Reference>