CVE-2023-27997: Critical Fortinet Fortigate Remote Code Execution Vulnerability

On June 9, 2023, Fortinet silently patched a purported critical remote code execution (RCE) vulnerability in Fortigate SSL VPN firewalls. According to Lexfo Security’s Charles Fol, who discovered the vulnerability, the flaw is heap-based and reachable pre-authentication. According to reports, security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

Fortinet published an advisory for CVE-2023-27997 on June 13, 2023. The company has a history of issuing security patches prior to disclosing critical vulnerabilities. Presumably, this policy is meant to give customers time to update their devices before threat actors exploit flaws, but in practice, it gives attackers a head start on attack development while keeping vulnerable organizations in the dark.

According to a June 14, 2023 update to the advisory, Fortinet is now aware of instances where this vulnerability has been exploited to download the config file from the targeted devices, and to add a malicious super_admin account called fortigate-tech-support:

# show system admin
edit "fortigate-tech-support"
set accprofile "super_admin"
set vdom "root"
set password ENC [...]
next

Fortinet device vulnerabilities are historically popular with attackers of all skill levels, though exploitability varies on a vuln-by-vuln basis. The U.S. government recently released a security bulletin that highlighted state-sponsored threat actors gaining access to networks via Fortigate devices. Fortinet vulnerabilities are also popular with initial access broker groups that sell access to potential victims’ networks to ransomware groups.

Affected Products

Per Fortinet’s advisory, “at least” the following products are affected:

• FortiOS-6K7K version 7.0.10

• FortiOS-6K7K version 7.0.5

• FortiOS-6K7K version 6.4.12

• FortiOS-6K7K version 6.4.10

• FortiOS-6K7K version 6.4.8

• FortiOS-6K7K version 6.4.6

• FortiOS-6K7K version 6.4.2

• FortiOS-6K7K version 6.2.9 through 6.2.13

• FortiOS-6K7K version 6.2.6 through 6.2.7

• FortiOS-6K7K version 6.2.4

• FortiOS-6K7K version 6.0.12 through 6.0.16

• FortiOS-6K7K version 6.0.10

• FortiProxy version 7.2.0 through 7.2.3

• FortiProxy version 7.0.0 through 7.0.9

• FortiProxy version 2.0.0 through 2.0.12

• FortiProxy 1.2 all versions

• FortiProxy 1.1 all versions

• FortiOS version 7.2.0 through 7.2.4

• FortiOS version 7.0.0 through 7.0.11

• FortiOS version 6.4.0 through 6.4.12

• FortiOS version 6.2.0 through 6.2.13

• FortiOS version 6.0.0 through 6.0.16

Remediation

Update FortiOS firmware to:

• FortiOS version 7.2.0 through 7.2.4

• FortiOS-6K7K version 7.0.12 or above

• FortiOS-6K7K version 6.4.13 or above

• FortiOS-6K7K version 6.2.15 or above

• FortiOS-6K7K version 6.0.17 or above

• FortiProxy version 7.2.4 or above

• FortiProxy version 7.0.10 or above

• FortiOS version 7.4.0 or above

• FortiOS version 7.2.5 or above

• FortiOS version 7.0.12 or above

• FortiOS version 6.4.13 or above

• FortiOS version 6.2.14 or above

• FortiOS version 6.0.17 or above

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2023-27997 with an authenticated vulnerability check available in today’s (June 12, 2023) content release.

Updates

July 13, 2023: Added affected products and remediation information from Fortinet’s July 13, 2023 CVE-2023-27997 advisory.

July 14, 2023: Added new information from Fortinet’s advisory about CVE-2023-27997 exploitation in the wild.