On June 9, 2023, Fortinet silently patched a purported critical remote code execution (RCE) vulnerability in Fortigate SSL VPN firewalls. According to Lexfo Security’s Charles Fol, who discovered the vulnerability, the flaw is heap-based and reachable pre-authentication on every SSL VPN appliance. Fortinet is expected to publish their advisory for CVE-2023-27997 tomorrow, June 13, 2023. The company has a history of issuing security patches prior to disclosing critical vulnerabilities. Presumably, this policy is meant to give customers time to update their devices before threat actors exploit flaws, but in practice, it gives attackers a head start on attack development while keeping vulnerable organizations in the dark.
Rapid7 is not aware of any exploitation of this vulnerability at time of writing. We do expect CVE-2023-27997 will be leveraged by attackers, but heap-based exploits are notoriously tricky, and it’s unlikely that we’ll see automated exploitation at scale. Nevertheless, we recommend that Fortigate customers update immediately as a matter of habit, despite the fact that Fortinet’s advisory is not yet available. According to reports, security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.
As of June 12, there were roughly 210,700 Fortigate devices with the SSL VPN component exposed to the public internet, the majority of which are in the United States, followed by Japan and Taiwan.
Fortinet device vulnerabilities are historically popular with attackers of all skill levels, though exploitability varies on a vuln-by-vuln basis. The U.S. government recently released a security 27997 critical fortinet fortigate remote execution vulnerability
