On Friday, June 9, 2023, Fortinet released new firmware updates for FortiOS. Over the weekend, security researchers shared on social media that this firmware update remediates a critical RCE vulnerability in the Fortinet SSL VPN devices.

Last Updated: June 12, 2023 at 3:08 PM MST

The official Fortinet Product Security Incident Response Team (PSIRT) blog stated: "Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation."

They also provided clarifications on the Volt Typhoon Campaign.

Today, security researcher Charles Fol from Lexfo Security confirmed the security update includes a fix for the RCE vulnerability and that he and another ‘Rioru’ discovered.

However, Charles stated on his Twitter feed that the vulnerability affects all Fortinet SSL VPN appliances, and the vulnerability is “reachable pre-authentication”, meaning no credentials are required to exploit the vulnerable systems.  

An additional security advisory from Olympe Cyberdefense also states that the vulnerability will work even if multi-factor authentication (MFA) is enabled.

Administrators are strongly encouraged to patch vulnerable devices immediately.

CVE-2023-27997

Critical Remote Code Execution (RCE) vulnerability in Fortinet SSL VPN appliances

Affected Products

All Fortinet SSL VPN appliances

Remediation

Upgrade to the latest FortiOS firmware versions released by Fortinet:

6.0.17

6.2.15

6.4.13

7.0.12

7.2.5

Resources

• Fortigate PSIRT Advisory: FortiOS & FortiProxy - Heap buffer overflow in sslvpn pre-authentication
• Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign (Fortigate)
• Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now (BleepingComputer)
• Olympe Cyberdefense Alert

If you have questions regarding this vulnerability or would like assistance, PacketWatch can help. Contact us today.

Disclaimer
The information provided in this article is provided “as-is.” It is not finally evaluated intelligence and should be considered raw information that is provided for strictly situational awareness, given what is known at this time.