Fortinet has released several versions of FortiOS, the OS/firmware powering its Fortigate firewalls and other devices, without mentioning that they include a fix for CVE-2023-27997, a remote code execution (RCE) flaw that does not require the attacker to be logged in to exploit it and neither the target organization is protected by MFA mechanisms
Fortinet has yet to publish an advisory for the flaw, but French cybersecurity company Olympe Cyberdefense reported that an advisory is expected to become public on June 13.
The company said the security hole impacts the SSL VPN functionality of FortiGate firewalls, allowing an attacker to “interfere via the VPN”.
The vulnerability has been fixed in FortiOS versions 7.2.5, 7.0.12, 6.4.13, 6.2.15 and, apparently also in v6.0.17 (even though Fortinet officially stopped supporting the 6.0 branch last year).
Enterprise admins are advised to upgrade Fortigate devices as soon as possible – if the vulnerability is not already being exploited by attackers, it’s likely that it will soon be.
References:
https://www.securityweek.com/fortinet-patches-critical-fortigate-ssl-vpn-vulnerability/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27997
https://www.thestack.technology/fortinet-vulnerability-vpn-cve-2023-27997/