CVE-2021-32600 Overview
CVE-2021-32600 is an information disclosure vulnerability in the Fortinet FortiOS command-line interface (CLI). The flaw allows a local, authenticated user assigned to a specific Virtual Domain (VDOM) to retrieve configuration information belonging to other VDOMs. Exposed data includes the administrator account list and the network interface list of unrelated VDOMs. The issue affects FortiOS 7.0.0, 6.4.0 through 6.4.6, 6.2.0 through 6.2.9, 6.0.x, and 5.6.x. The weakness is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Authenticated VDOM administrators can enumerate admin accounts and network interfaces across VDOM boundaries, breaking the multi-tenant isolation FortiOS VDOMs are designed to enforce.
Affected Products
- Fortinet FortiOS 7.0.0
- Fortinet FortiOS 6.4.0 through 6.4.6 and 6.2.0 through 6.2.9
- Fortinet FortiOS 6.0.x and 5.6.x
Discovery Timeline
- 2021-11-17 - CVE-2021-32600 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-32600
Vulnerability Analysis
FortiOS supports VDOMs to partition a single physical appliance into multiple logical firewalls. Each VDOM is intended to operate as an isolated administrative boundary with its own administrators, interfaces, and policies. CVE-2021-32600 breaks that boundary at the CLI layer. An administrator scoped to one VDOM can issue CLI commands that return configuration data from other VDOMs on the same device. The disclosed data set is limited but security-relevant: the admin account list and the network interface list. Attackers can use this information to map tenant infrastructure, identify privileged account names for password attacks, and plan lateral movement against adjacent tenants on shared FortiGate hardware.
Root Cause
The vulnerability stems from missing or incomplete authorization checks in CLI command handlers that read global configuration objects. Instead of filtering results to the caller's assigned VDOM, the affected commands return entries scoped to the entire device. The scope-change component of the issue is reflected in its CVSS vector, which captures impact extending beyond the attacker's authorized security boundary.
Attack Vector
Exploitation requires local CLI access and valid credentials for at least one VDOM administrator account. The attacker authenticates to FortiOS, enters the CLI, and executes the affected configuration-read commands. The CLI returns admin account and interface entries belonging to VDOMs the user is not authorized to view. No special tooling, memory corruption, or chained exploit is required. See the FortiGuard Security Advisory FG-IR-20-243 for vendor-confirmed technical details.
Detection Methods for CVE-2021-32600
Indicators of Compromise
- CLI session activity from a VDOM-scoped administrator account immediately followed by enumeration commands against system admin or system interface objects.
- Repeated CLI logins from the same low-privilege VDOM admin correlated with reconnaissance-style command sequences.
- Unexpected administrative access patterns originating from tenants that should not interact with other VDOMs.
Detection Strategies
- Forward FortiOS CLI audit logs and admin command history to a centralized log platform and alert on cross-VDOM read attempts by non-super_admin accounts.
- Baseline the normal command set executed by each VDOM administrator and flag deviations involving global object enumeration.
- Correlate CLI activity with authentication events to identify compromised VDOM admin credentials used to harvest data from adjacent tenants.
Monitoring Recommendations
- Enable verbose admin event logging on every FortiGate running an affected FortiOS branch until patched firmware is deployed.
- Review the execute log filter and admin audit logs weekly for commands that read system admin and system interface from non-super_admin sessions.
- Track FortiOS firmware versions across the fleet and alert when devices remain on versions listed in FG-IR-20-243.
How to Mitigate CVE-2021-32600
Immediate Actions Required
- Inventory all FortiGate appliances and identify devices running FortiOS 7.0.0, 6.4.0–6.4.6, 6.2.0–6.2.9, 6.0.x, or 5.6.x.
- Upgrade affected appliances to a FortiOS release that addresses FG-IR-20-243 as the primary remediation.
- Rotate credentials for VDOM administrators on multi-tenant FortiGates where untrusted tenants share hardware.
- Restrict CLI access to a dedicated management network and enforce multi-factor authentication for all administrator accounts.
Patch Information
Fortinet documents fixed releases in the FortiGuard advisory FG-IR-20-243. Administrators should consult the advisory for the exact target version matching their current FortiOS branch and apply the upgrade through standard FortiGate firmware update procedures.
Workarounds
- Consolidate VDOM administration under trusted super_admin accounts until patched firmware can be deployed.
- Avoid hosting mutually untrusted tenants on the same physical FortiGate while the device runs an affected version.
- Limit CLI reachability with trusted host entries on each administrator account to reduce the population of users able to trigger the flaw.
# Restrict administrator access to specific management hosts
config system admin
edit "vdom_admin"
set trusthost1 10.0.0.0 255.255.255.0
set accprofile "prof_admin"
set vdom "TENANT_A"
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
