Critical Vulnerability in Fortinet's FortiOS and FortiProxy Products

Fortinet has released security updates to address a critical vulnerability (CVE-2023-27997) in its products running FortiOS. This vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.2 out of 10. The vulnerability is reportedly being actively exploited. 

Successful exploitation of this heap-based buffer overflow vulnerability in FortiOS and FortiProxy Secure Socket Layer Virtual Private Network (SSL-VPN) could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

The vulnerability affects the following products:

At least

• FortiOS-6K7K version 7.0.10

• FortiOS-6K7K version 7.0.5

• FortiOS-6K7K version 6.4.12

• FortiOS-6K7K version 6.4.10

• FortiOS-6K7K version 6.4.8

• FortiOS-6K7K version 6.4.6

• FortiOS-6K7K version 6.4.2

• FortiOS-6K7K version 6.2.9 through 6.2.13

• FortiOS-6K7K version 6.2.6 through 6.2.7

• FortiOS-6K7K version 6.2.4

• FortiOS-6K7K version 6.0.12 through 6.0.16

• FortiOS-6K7K version 6.0.10

At least

• FortiProxy version 7.2.0 through 7.2.3

• FortiProxy version 7.0.0 through 7.0.9

• FortiProxy version 2.0.0 through 2.0.12

• FortiProxy 1.2 all versions

• FortiProxy 1.1 all versions

At least

• FortiOS version 7.2.0 through 7.2.4

• FortiOS version 7.0.0 through 7.0.11

• FortiOS version 6.4.0 through 6.4.12

• FortiOS version 6.0.0 through 6.0.16

Users and administrators of affected product are advised to update to the latest versions immediately.

More information is available here:
https://www.fortiguard.com/psirt/FG-IR-23-097
https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign