Fortinet has patched a critical security flaw, tracked as CVE-2023-27997, in its SSL VPN devices that could be used by a threat actor to achieve remote code execution without authentication. By sending a carefully crafted request to the SSL VPN, an attacker can exploit this vulnerability and effectively execute arbitrary code on the compromised system even if the MFA is activated. The flaw affects every SSL VPN appliance, and the issue has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5. Further details about the vulnerability have been withheld.
Fortinet devices are commonly targeted by threat actors because they are among the most popular firewall and VPN devices in the market. SSL-VPN flaws have historically been exploited just days after patches were released. According to a Shodan search, over 255,000 Fortigate firewalls can be reached from the Internet. Since the vulnerability affects all previous versions, the majority of those devices are likely exposed.
How to Patch a Vulnerable Fortinet Fortigate Product
Visit the Fortinet Support site frequently and apply newly released patches to keep your Fortigate VPN secure. To update your device:
- Check the firmware version: Check the “System Information” section of your device’s dashboard to see the current firmware version.
- Find the latest firmware: Go to the “Download” section after logging into the support site. In the product list, look for Fortigate VPN and select your Fortigate model. To view all available updates, click the “Firmware Images.” Look for and download the patch addressing CVE-2023-27997.
- Apply the patch: On the Fortinet Fortigate VPN dashboard, navigate to System > Firmware > Update > Upload File, then select the downloaded patch file. After the update, make sure to test your VPN. Check that all functions are operational and the device is stable.
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.
- As always, if we detect activity related to these exploits, we will alert you if warranted.
- Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.
Mitigation
Users are strongly urged to apply the security updates released by Fortinet before the Proof of Concept is released publicly.
Resources & Related Articles