Fortinet has released firmware updates for its Fortigate devices, addressing a critical pre-authentication remote code execution (RCE) vulnerability in SSL VPN devices. The security patches were rolled out on Friday for FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. Although the release notes did not mention the vulnerability, security professionals and administrators have suggested that the updates resolve a critical, undisclosed SSL-VPN RCE vulnerability set to be disclosed on Tuesday, June 13th, 2023.
An advisory from French cybersecurity firm Olympe Cyberdefense stated, "The flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated." The advisory also mentioned that all versions are likely affected, with confirmation expected upon the release of the CVE on June 13, 2023. Fortinet is known for releasing security patches before disclosing critical vulnerabilities, providing customers with time to update their devices before threat actors can reverse engineer the patches.
Charles Fol, a vulnerability researcher, revealed additional information, stating that the new FortiOS updates include a fix for a critical RCE vulnerability discovered by him and Rioru. In a tweet, Fol shared, "Fortinet published a patch for CVE-2023-27997, the Remote Code Execution vulnerability @DDXhunter and I reported. This is reachable pre-authentication, on every SSL VPN appliance. Patch your Fortigate. Details at a later time. #xortigate." Fol confirmed that this should be considered an urgent patch for Fortinet administrators, as threat actors are likely to quickly analyze and discover the vulnerability.
Fortinet devices are among the most popular firewall and VPN devices on the market, making them a prime target for attacks. A Shodan search revealed that over 250,000 Fortigate firewalls can be reached from the Internet, and since this bug affects all previous versions, the majority are likely exposed. In the past, SSL-VPN flaws have been exploited by threat actors just days after patches are released, often used to gain initial access to networks for data theft and ransomware attacks. As a result, administrators must apply Fortinet security updates as soon as they become available. Fortinet was contacted for more information about the updates, but a reply was not immediately available.