Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now

Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices.

The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

While not mentioned in the release notes, security professionals and admins have hinted that the updates quietly fixed a critical SSL-VPN RCE vulnerability that would be disclosed on Tuesday, June 13th, 2023.

“The flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated,” reads an advisory from French cybersecurity firm Olympe Cyberdefense.

“To date, all versions would be affected, we are waiting for the release of the CVE on June 13, 2023 to confirm this information.”

Fortinet is known to push out security patches prior to disclosing critical vulnerabilities to give customers time to update their devices before threat actors reverse engineer the patches.

Today, additional information was disclosed by Lexfo Security vulnerability researcher Charles Fol, who told BleepingComputer that the new FortiOS updates include a fix for a critical RCE vulnerability discovered by him and Rioru.

“Fortinet published a patch for CVE-2023-27997, the Remote Code Execution vulnerability @DDXhunter and I reported,” reads a tweet by Fol.

“This is reachable pre-authentication, on every SSL VPN appliance. Patch your Fortigate. Details at a later time. #xortigate.”

Fol confirmed to BleepingComputer that this should be considered an urgent patch for Fortinet admins as its likely to be quickly analyzed and discovered by threat actors.

Fortinet devices are some of the most popular firewall and VPN devices in the market, making them a popular target for attacks.

Per a Shodan search, over 250,000 Fortigate firewalls can be reached from the Internet, and as this bug affects all previous versions, the majority are likely exposed.

In the past, SSL-VPN flaws have been exploited by threat actors just days after patches are released, commonly used to gain initial access to networks to conduct data theft and ransomware attacks.

Therefore, admins must apply Fortinet security updates as soon as they become available.

Leave a Comment

Your email address will not be published. Required fields are marked *