Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now

Update 6/12/23 added below: Fortinet released a new advisory warning that the vulnerability may have been exploited in attacks.

Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices, tracked as CVE-2023-27997.

The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

While not mentioned in the release notes, security professionals and admins have hinted that the updates quietly fixed a critical SSL-VPN RCE vulnerability that would be disclosed on Tuesday, June 13th, 2023.

"The flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated," reads an advisory from French cybersecurity firm Olympe Cyberdefense.

"To date, all versions would be affected, we are waiting for the release of the CVE on June 13, 2023 to confirm this information."

Fortinet is known to push out security patches prior to disclosing critical vulnerabilities to give customers time to update their devices before threat actors reverse engineer the patches.

Today, additional information was disclosed by Lexfo Security vulnerability researcher Charles Fol, who told BleepingComputer that the new FortiOS updates include a fix for a critical RCE vulnerability discovered by him and Rioru.

"Fortinet published a patch for CVE-2023-27997, the Remote Code Execution vulnerability @DDXhunter and I reported," reads a tweet by Fol.

"This is reachable pre-authentication, on every SSL VPN appliance. Patch your Fortigate. Details at a later time. #xortigate."

Fol confirmed to BleepingComputer that this should be considered an urgent patch for Fortinet admins as its likely to be quickly analyzed and discovered by threat actors.

Fortinet devices are some of the most popular firewall and VPN devices in the market, making them a popular target for attacks.

Per a Shodan search, over 500,000 Fortigate firewalls can be reached from the Internet, and as this bug affects all previous versions, the majority are likely exposed.

In the past, SSL-VPN flaws have been exploited by threat actors just days after patches are released, commonly used to gain initial access to networks to conduct data theft and ransomware attacks.

Therefore, admins must apply Fortinet security updates as soon as they become available.

BleepingComputer has contacted Fortinet to learn more about the updates, but a reply was not immediately available.

Update 6/11/23 8:35 PM ET: Fortinet shared the following statement with BleepingComputer after contacting them about whether the bug was exploited.

"Timely and ongoing communications with our customers is a key component in our efforts to best protect and secure their organization. There are instances where confidential advance customer communications can include early warning on Advisories to enable customers to further strengthen their security posture, prior to the Advisory being publicly released to a broader audience. This process follows best practices for responsible disclosure to ensure our customers have the timely information they need to help them make informed risk-based decisions. For more on Fortinet’s responsible disclosure process, visit the Fortinet Product Security Incident Response Team (PSIRT) page: https://www.fortiguard.com/psirt_policy."

Update 6/11/23 06:01 PM ET: Fortinet has said that the new vulnerability, CVE-2023-27997, may have been exploited in attacks against government, manufacturing, and critical infrastructure.

"Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation," reads the new advisory.

Fortinet also shard the following statement with BleepingComputer.

"We published a PSIRT advisory (FG-IR-23-097) on June 12th that details recommended next steps regarding CVE-2023-27997. Fortinet continues to monitor the situation and has been proactively communicating to customers, strongly urging them to immediately follow the guidance provided to mitigate the vulnerability using either the provided workarounds or by upgrading. As follow-up to this, we have shared additional detail and clarifications to help our customers make informed, risk-based decisions regarding CVE-2022-27997 in this blog. For more information, please refer to the blog and advisory."

Update 6/14/23: Added new Shodan search query shared by security researcher nekono_nanomotoni, which increases impacted devices to over 500,000!