CVE-2023-27997
📋 TL;DR
A heap-based buffer overflow vulnerability in Fortinet's SSL-VPN implementation allows remote attackers to execute arbitrary code via crafted requests. This affects FortiOS versions 7.2.4 and below, 7.0.11 and below, 6.4.12 and below, 6.0.16 and below, and FortiProxy versions 7.2.3 and below, 7.0.9 and below, 2.0.12 and below, plus all versions of 1.2 and 1.1. Organizations using these vulnerable SSL-VPN gateways are at risk.
💻 Affected Systems
- FortiOS
- FortiProxy
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full system control, installs persistent backdoors, pivots to internal networks, and exfiltrates sensitive data.
Likely Case
Remote code execution leading to VPN gateway compromise, credential theft, and lateral movement into corporate networks.
If Mitigated
Attack blocked at perimeter; no internal access achieved due to network segmentation and strict access controls.
🎯 Exploit Status
Actively exploited in the wild; CISA added to Known Exploited Vulnerabilities catalog. Exploitation requires network access to SSL-VPN interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS: 7.2.5, 7.0.12, 6.4.13, 6.0.17; FortiProxy: 7.2.4, 7.0.10, 2.0.13
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-23-097
Restart Required: Yes
Instructions:
1. Backup configuration. 2. Download appropriate firmware from Fortinet support portal. 3. Upload firmware to device via GUI or CLI. 4. Install update. 5. Reboot device. 6. Verify version and functionality.
🔧 Temporary Workarounds
Disable SSL-VPN
allTemporarily disable SSL-VPN service if not required
config vpn ssl settings
set status disable
end
Restrict SSL-VPN Access
allLimit SSL-VPN access to specific source IPs using firewall policies
config firewall policy
edit <policy_id>
set srcaddr <trusted_ips>
end
🧯 If You Can't Patch
- Implement network segmentation to isolate VPN gateway from critical assets
- Deploy intrusion prevention system (IPS) with signatures for this CVE
🔍 How to Verify
Check if Vulnerable:
Check FortiOS/FortiProxy version via GUI (System > Dashboard) or CLI (get system status)Check Version:
get system status | grep VersionVerify Fix Applied:
Verify version is patched: FortiOS >=7.2.5, >=7.0.12, >=6.4.13, >=6.0.17; FortiProxy >=7.2.4, >=7.0.10, >=2.0.13📡 Detection & Monitoring
Log Indicators:
- Unusual SSL-VPN connection patterns
- Failed authentication attempts followed by successful exploitation
- Process execution anomalies on VPN device
Network Indicators:
- Unusual outbound connections from VPN gateway
- Exploit payload patterns in SSL-VPN traffic
SIEM Query:
source="fortigate" AND (eventtype="vpn" OR eventtype="traffic") AND (msg="*buffer overflow*" OR msg="*heap corruption*")