Fortinet has reported that a critical FortiOS SSL VPN vulnerability, which was patched last week, might have been exploited in attacks targeting government, manufacturing, and critical infrastructure organizations. The flaw, identified as CVE-2023-27997 or FG-IR-23-097, is a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN, allowing unauthenticated attackers to achieve remote code execution (RCE) through maliciously crafted requests. The discovery of CVE-2023-27997 occurred during a code audit of the SSL-VPN module, following another recent series of attacks against government organizations that exploited the CVE-2022-42475 FortiOS SSL-VPN zero-day.
On Friday, Fortinet released security updates addressing the vulnerability before disclosing additional details today. The company has previously pushed patches before revealing critical vulnerabilities to provide customers with time to secure their devices before threat actors can reverse engineer them to create exploits. Fortinet stated in a report published on Monday, "Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation." Consequently, Fortinet advises customers with SSL-VPN enabled to upgrade to the most recent firmware release immediately. Although the risk of this issue is mitigated for customers not operating SSL-VPN, Fortinet still recommends upgrading.
While Fortinet did not establish any connections to the recently disclosed Volt Typhoon attacks targeting critical infrastructure organizations across the United States, the company did mention the possibility that the Chinese cyberespionage group could also target the CVE-2023-27997 flaw. Fortinet said, "At this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign, however Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices." As a result, Fortinet urges immediate and ongoing mitigation through an aggressive patching campaign.
Volt Typhoon is known for infiltrating Internet-exposed Fortinet FortiGuard devices via an unknown zero-day vulnerability to access the networks of organizations in various critical sectors. The threat actors also utilize compromised routers, firewalls, and VPN appliances from multiple vendors to avoid detection by ensuring their malicious activity blends in with legitimate network traffic. Fortinet disclosed today that the threat actors are primarily targeting devices unpatched against CVE-2022-40684, an authentication bypass vulnerability in FortiOS / FortiProxy / FortiSwitchManager devices, for initial access. However, as previously mentioned, the threat actors are expected to begin exploiting new vulnerabilities as they are disclosed.