Fortinet Warns of Critical Unauthenticated RCE Vulnerability
March 8, 2023
Fortinet has disclosed a critical vulnerability impacting FortiOS and FortiProxy, tracked as CVE-2023-25610, which allows an unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) on the GUI of vulnerable devices. This buffer underflow vulnerability has a CVSS v3 score of 9.3, rating it critical. Fifty device models are not impacted by the arbitrary code execution component of the flaw, but only the denial of service part. Fortinet suggests disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can access it remotely as a workaround. It is imperative to mitigate this vulnerability quickly, as threat actors keep an eye for critical-severity flaws impacting Fortinet products. On February 16, Fortinet fixed two critical remote code execution flaws impacting FortiNAC and FortiWeb products, and a working proof-of-concept exploit was made public only four days later. Active exploitation in the wild began on February 22, 2023.
- Veeam Urges Customers to Patch High-Severity Backup Service Security Vulnerability
- Severe Security Vulnerabilities Discovered in Jenkins Open Source Automation Server
- Surge in ICS Attacks Linked to Bitrix CMS Vulnerability
- Ongoing Exploitation of Critical Vulnerabilities in VMware Cloud Foundation and NSX-V
- LastPass Suffers Second Attack After Failing to Update Plex
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.