Fortinet Addresses Critical FortiGate SSL-VPN Vulnerability

Written by

Network security solution provider Fortinet has patched a critical bug in its FortiOS and FortiProxy SSL-VPN software that could be exploited to hijack equipment.

The vulnerability, identified as CVE-2023-27997 with a CVSS score of 9.2, reportedly allowed remote code execution and was first discovered by a security analyst at Lexfo.

The security fixes were included in the FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12 and 7.2.5.

Read more on Fortinet vulnerabilities: Organizations Urged to Address Critical Vulnerabilities Found in First Half of 2023

Interestingly, the release notes did not initially mention the critical SSL-VPN RCE vulnerability being addressed. However, security professionals and administrators, including Charles Fol from Lexfo, have hinted that these updates silently addressed the flaw, which was scheduled to be disclosed on June 13 2023.

Writing on Twitter on Monday, Fol revealed that the latest FortiOS updates contain a fix for a critical RCE vulnerability he and Rioru had discovered.

“Fortinet has had to respond to a number of recent vulnerabilities, and this is another good example,” commented Mike Parkin, senior technical engineer at Vulcan Cyber.

According to the security expert, it is not uncommon for a patch to be released to address a vulnerability before publicly acknowledging its existence. 

Currently, it remains uncertain whether the vulnerability has been exploited in real-world attacks or if knowledge of it extends beyond the initial research findings.

“While researchers were able to create a proof of concept, that doesn’t always translate into a weaponized exploit,” Parkin added.

“That said, once the PoC [Proof of Concept] is made public [...] threat actors will try and create their own attack to leverage the exploit, which means Fortinet’s users need to patch their systems as soon as the patches are available.”

A separate PoC was released by Vulcan Cyber last week regarding a new technique to use ChatGPT as an attack vector.

Editorial image credit: T. Schneider /

What’s hot on Infosecurity Magazine?