Don’t regret it later: Fortinet’s FortiGate needs to be patched

Fortinet has recently released new firmware updates for FortiGate devices. These updates address a critical vulnerability that allows pre-authentication remote code execution in SSL VPN devices. The security fixes were quietly included in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5, although they were not explicitly mentioned in the release notes.

#Fortinet published a patch for CVE-2023-27997, the Remote Code Execution vulnerability @DDXhunter and I reported. This is reachable pre-authentication, on every SSL VPN appliance. Patch your #Fortigate. Details at a later time. #xortigate

— Charles Fol (@cfreal_) June 11, 2023

According to cybersecurity firm Olympe Cyberdefense, the flaw could enable unauthorized access through the VPN, even if multi-factor authentication (MFA) is enabled. While all versions of FortiGate devices are believed to be affected, confirmation is expected with the release of the CVE on June 13, 2023.

Source: NIST

🚨 we have confirmed and reproduced the rumoured Fortinet FortiGate RCE that is embargoed until the 13th, discovered by Olympe Cyberdefense. Please patch ASAP. pic.twitter.com/IDCTRrztPy

— watchTowr (@watchtowrcyber) June 11, 2023

Fortinet thinks ahead

Fortinet typically releases security patches before disclosing critical vulnerabilities to give customers time to update their devices before malicious actors can analyze and exploit the patches.

Additional information has been disclosed by Lexfo Security vulnerability researcher Charles Fol, who reported discovering a critical remote code execution vulnerability, CVE-2023-27997, in FortiOS. This vulnerability can be exploited pre-authentication on any SSL VPN appliance. Fol emphasizes the urgency of patching Fortigate devices, as threat actors are likely to analyze and exploit the vulnerability quickly.

#Fortinet published a patch for CVE-2023-27997, the Remote Code Execution vulnerability @DDXhunter and I reported. This is reachable pre-authentication, on every SSL VPN appliance. Patch your #Fortigate. Details at a later time. #xortigate

— Charles Fol (@cfreal_) June 11, 2023

FortiGate devices are widely used for firewall and VPN purposes, making them attractive attack targets. A Shodan search reveals that over 250,000 FortiGate firewalls can be accessed from the internet, and since this vulnerability affects previous versions, a significant number of devices are potentially exposed.

Historically, threat actors have exploited SSL-VPN flaws shortly after patches are released, often using them to gain initial network access for data theft and ransomware attacks. Therefore, administrators should promptly apply the Fortinet security updates as soon as they are available.

Every week there's a new exploit for Fortigates. And patching them requires multiple upgrades for each version up to the most recent version. Hard to manage pieces of crap

— BitcoinDurp 🟦 (@BitcoinDurp) June 11, 2023

Conclusive facts

Vulnerabilities happen! Cyberspace is full of holes that can be filled by either the bad or good ones. So, if good ones come forth first, they must be encouraged rather than criticized. This is because bad ones are waiting day and night to exploit your safe space in unbelievable ways. Stay safe! Always patch! Keep yourself updated!