A zero-day flaw in FortiOS has been found to be exploited in attacks against governmental and other large organisations, resulting in file corruption and data loss. This vulnerability was only considered medium severity, with a CVSS base score of 6.5, however it has been exploited to take down multiple FortiGate firewall devices in a complex and highly targeted attack. Tracked as CVE-2022-41328 this vulnerability affects FortiOS versions 7.2.0 to 7.2.3, 7.0.0 to 7.0.9, 6.4.0 to 6.4.11, and all 6.2 and 6.0 versions. This path traversal vulnerability occurs due to improper limitation of a pathname to a restricted directory. This allows a privileged attacker to read and write files to the vulnerable device through CLI commands.   

The attacks identified by Fortinet exploiting this vulnerability have been carried out by a threat actor who has a “deep understanding of FortiOS and the underlying hardware […] including reverse-engineering various parts of FortiOS”. Despite the current belief being that these sophisticated attacks are only affecting governmental or government-related targets all users of the vulnerable software should upgrade to a patched version as soon as possible as this flaw is actively exploited. Patched versions include FortiOS 7.2.4 and above, 7.0.10 and above, and 6.4.12 and above.  

Fortinet also published a second security advisory on the same day about a critical vulnerability in FortiOS and FortiProxy that can allow for remote code execution. This vulnerability is tracked as CVE-2023-25610 and has a CVSS base score of 9.3/10. This is a buffer underwrite vulnerability, which occurs during the write process when an index or pointer references a memory location prior to the beginning of the buffer, so the write begins there often resulting in memory corruption. An exploit of this vulnerability could be performed by a remote unauthenticated attacker, however no exploits of this flaw have been seen in the wild so far.  

Results of an attack could allow for arbitrary code execution, or the ability to perform a denial of service (DoS) attack on the GUI. This would be performed through a crafted HTTP/HTTPS request, so disabling these requests on the administrative interface can provide a mitigation for this attack. Another workaround to prevent this form of attack is to Limit the IP addresses that can reach the administrative interface through firewall configurations to restrict access to address groups through in Local in Policy settings. Affected products include FortiOS versions 7.2.0 to 7.2.3, 7.0.0 to 7.0.9, 6.4.0 to 6.4.11, 6.2.0 to 6.2.12, and all 6.0 versions, and FortiProxy versions 7.2.0 to 7.2.2, 7.0.0 to 7.0.8, 2.0.0 to 2.0.12, and all 1.2 and 1.1 versions. Some hardware devices running the affected FortiOS are only vulnerable to the DoS part of the attack, and are not vulnerable to code execution. A list of these devices is available in the security advisory published by Fortinet, and all non-listed devices are vulnerable to both.