Fortinet has released a patch to fix a critical remote code execution vulnerability in its FortiGate SSL-VPN devices. The vulnerability can be exploited pre-authentication, allowing a remote attacker to interfere with the VPN. The flaw can be exploited even if multi-factor authentication is activated, according to the French cybersecurity firm, Olympe Cyberdefense. If the remote web interface is exposed and the firmware is not updated to the latest version, the vulnerability could be exploited. Most companies that use the VPN have a vulnerable configuration. A Shodan search indicates there are currently around 250,000 instances that are exposed to the Internet and are potentially vulnerable.
The vulnerability, tracked as CVE-2023-27997, affects all versions of its SSL VPN appliances. Patches have been released for all supported versions, in addition to v6.0.17 which reached end-of-life last year. The patched versions of FortiOS firmware are 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.
Now that the updated versions of the firmware have been released, they will likely be analyzed by threat actors and compared to previous versions to see what has been changed. The vulnerability is likely to be discovered and exploited quickly, as SSL-VPN devices are attractive targets for hackers and Fortinet vulnerabilities have been actively targeted in the past. The Fortinet FortioOS vulnerability, CVE-2018-13379, was one of the most actively exploited vulnerabilities in 2018, and the vulnerabilities CVE-2022-42475 and CVE-2022-40684 were also widely exploited. Admins should therefore ensure that their FortiGate SSL-VPN devices are updated as soon as possible.
Fortinet has yet to publish details of the vulnerability, there is currently no CVSS score, and Fortinet has not stated whether the vulnerability is currently being exploited. Details are likely to be withheld until a significant percentage of customers have updated their firmware to a supported version.