Security alert: critical Fortigate remote code execution vulnerability


What happened?

Fortinet released a patch on June 9, 2023 for a critical vulnerability in Fortigate Firewalls. Fortinet determined that all previous Fortigate Firewall OS versions were impacted. The vulnerability was designated CVE-2023-27997 and was rated as 9.8/10 and critical based on the CVSS:3.1 scoring system. Threat actors can exploit the vulnerability if SSL-VPN is enabled on the firewall. If you do have a Fortigate Firewall, we recommend applying the patch as soon as possible. (Even if you don’t use SSL-VPN, you should ensure that it’s disabled, and apply the patch.)

FYI, if you don’t have a Fortinet Fortigate Firewall, no action is necessary.

Why does it matter?

Threat actors of all skill levels consider firewall vulnerabilities an attractive target. Recently, the United States federal government, Microsoft, and Mandiant warned that Chinese state actors have exploited Fortigate vulnerabilities. Firewalls can be harder to defend because they have to be exposed to the internet, and the organizations that use them can’t install endpoint detection and response (EDR) agents on them, limiting visibility for defenders.

What should you do right now?

Attackers can exploit this vulnerability without needing to authenticate, and can leverage it to execute arbitrary code. Quickly patching and performing security hardening serves as the best line of defense in these situations. If you use Fortigate Firewall with SSL-VPN enabled, apply these patches now. Fortinet released patches on June 9, 2023, which should be available to install upon logging in. (If you use Fortigate Firewall without SSL-VPN, this is a good time to double check your settings to ensure it’s disabled and apply patches.)

To protect yourself in the future, review Fortinet’s hardening guidelines to reduce further risk. We also recommend using vulnerability scanner plugins (e.g., Tenable 177116) to verify patch remediation, and identify unpatched firewalls.

What next?

We’ll update this post with any big developments, but keep an eye on our socials (@ExpelSecurity) for additional recommendations as they emerge.