Security News > 2023 > June > Critical FortiOS and FortiProxy Vulnerability Likely Exploited - Patch Now!
Fortinet on Monday disclosed that a newly patched critical flaw impacting FortiOS and FortiProxy may have been "Exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors.
The vulnerability, tracked as CVE-2023-27997, concerns a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
LEXFO security researchers Charles Fol and Dany Bach have been credited with discovering and reporting the flaw.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security.
Fortinet further said it is not attributing the exploitation events at this stage to a Chinese state-sponsored actor codenamed Volt Typhoon, which was disclosed by Microsoft last month as leveraging an unknown zero-day flaw in internet-facing Fortinet FortiGuard devices to gain initial access to target environments.
"Fortinet continues to monitor the situation and has been proactively communicating to customers, strongly urging them to immediately follow the guidance provided to mitigate the vulnerability using either the provided workarounds or by upgrading," the company told The Hacker News.
News URL
https://thehackernews.com/2023/06/critical-fortios-and-fortiproxy.html
Related news
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
- Netgear warns users to patch critical WiFi router vulnerabilities (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-13 | CVE-2023-27997 | Out-of-bounds Write vulnerability in Fortinet Fortios and Fortiproxy A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. | 9.8 |