A critical remote code execution vulnerability has been patched in the latest Fortigate firmware updates for Fortinet FortiOS, FortiOS-6K7K, and FortiProxy SSL VPN devices. These updates were pushed out last week, however specific details about the critical vulnerability patched was not made available until Monday, when Fortinet published a security advisory detailing fixed versions, and a CVE analysis for this flaw. In their analysis Fortinet state that their investigation concluded that this critical severity flaw may have been exploited “a limited number” of times, and that they are working with affected customers to continue to monitor the situation. 

 This vulnerability is a heap-based buffer overflow flaw, in which a buffer allocated to the heap portion of memory can be overwritten. Tracked as CVE-2023-27997 this flaw has been assigned a critical severity rating, with a CVSS base score of 9.8. A remote unauthenticated attacker can exploit this vulnerability through maliciously crafted requests in order to execute arbitrary code or commands on the vulnerable devices. French cybersecurity company Olympe Cyberdefense published an advisory that states attackers can use the VPN capabilities to exploit this flaw even when MFA is in use on the vulnerable VPN.   

Security researcher Charles Fol who discovered this vulnerability has shared that it is present on “every SSL VPN appliance”, so it is advisable that all FortiOS and FortiProxy users patch their devices as soon as possible. The current Fortigate firmware releases also patch 3 high severity and 2 medium severity flaws that also all affected the SSL VPN module of vulnerable devices. Although disabling the SSL VPN module can provide a workaround to mitigate these flaws, Fortinet still advise all customers to update to the most recent firmware release, and harden their systems, to best guarantee protection from an exploit of this critical flaw. A full list of affected products, and fixed versions, can be found in the PSIRT advisory published by FortiGuard Labs.