Fix for Critical Remote Code Execution in Fortigate SSL-VPN, Patch now
Take action: VPN device flaws are exploited very quickly after patches or public information of vulnerability are released since they are exposed to the public internet. These exploits are made to be automated and lead to network breaches and vectors for data theft, and ransomware attacks. Update your Fortigate SSL-VPN immediately!
Learn More
Fortinet released firmware updates for their Fortigate devices to address a critical remote code execution (RCE) vulnerability in SSL VPN devices.
The details of the vulnerability have not been disclosed to avoid building an exploit, but it is considered a critical issue that can be exploited without authentication. Cybersecurity researchers warn that the vulnerability could allow an attacker to interfere with the VPN even if multi-factor authentication (MFA) is enabled.
It is believed that all versions of FortiOS are affected. The vulnerability appears to be exploited by various state-sponsored actors in the wild. Fortinet refused to name the suspected hacking groups but a group called Volt Typhoon is known to exploit vulnerabilities in network and edge devices as ingress vector.
Update - as of 3rd Jul 2023 More than 330,000 FortiGate firewall appliances are still vulnerable to a remote code execution (RCE) attack three weeks after the vendor Fortinet issued a critical fix.
The security fixes were included in the FortiOS/FortiProxy firmware versions which were released on Friday, 9th of June. Fixed versions are:
FortiOS
- 6.0.17 or above
- 6.2.15 or above
- 6.4.13 or above
- 7.0.12 or above
- 7.2.5 or above
- 7.4.0 or above
FortiOS-6K7K
- 7.0.12 or above
- 6.4.13 or above
- 6.2.15 or above
- 6.0.17 or above
FortiProxy
- 7.2.4 or above
- 7.0.10 or above
- 2.0.13 or above
The firmware release notes do not explicitly mention the RCE vulnerability but security professionals indicated that these updates silently addressed the issue.
Fortinet has a practice of releasing security patches ahead of disclosing critical vulnerabilities to give customers time to update their devices and mitigate potential risks before threat actors can analyze and exploit the vulnerabilities. The issue is expected to be officially disclosed on Tuesday, June 13th, 2023. The vulnerability is tracked as CVE-2023-27997.
Fortinet devices, including their firewall and VPN devices, are widely used and popular in the market, making them attractive targets for attackers. A Shodan search revealed that over 250,000 Fortigate firewalls are accessible from the internet.
