Fortinet patches critical bug in SSL VPN appliances - update now, admins urged

No official announcement yet, but researchers confirm updated firmware contains a fix

Fortinet has patched a critical flaw in its Fortigate devices, with admins urged to apply firmware updates as a matter of urgency.

The flaw is a critical pre-authentication remote code execution (RCE) vulnerability in Fortinet's SSL VPN appliances that's tagged as CVE-2023-27997. It was identified by Lexfo Security researchers Charles Fol and Dany Bach (rioru).

According to security vendor Olympe Cyberdefense, the bug allows remote threat actors to interfere with VPN connections, even with multi-factor authentication (MFA) in place.

Fortinet has now released firmware fixes in FortiOS versions 6.0.17, 6.2.15, 6.4.13, 7.0.12 and 7.2.5, although it has yet (Monday, 9.30 UTC) to announced that fact on its website. This is not unusual; the company usually patches its systems before making an announcement about the nature of the flaw the new versions are designed to fix. An official announcement is expected on Tuesday.

However, given the popularity of Fortinet firewalls and VPN devices, and hence the likelihood of them being targeted by threat actors, Fol and Rioru urged administrators to apply the firmware updates, which they confirmed contain fixes for CVE-2023-27997, as soon as possible.

"[The vulnerability] is reachable pre-authentication, on every SSL VPN appliance. Patch your #Fortigate. Details at a later time. #xortigate," Fol tweeted on Sunday.

Now that the patched versions have been released, threat actors will doubtless be working on exploits by comparing the older versions of FortiOS with the new patched ones, meaning that attacks, if they have not already begun, will do so soon.

Previous SSL-VPN flaws have been exploited by threat actors shortly after patches were released, enabling data theft and ransomware attacks.

In March, Fortinet patched another critical vulnerability in FortiOS and FortiProxy. The bug, CVE-2023-25610, is a buffer underflow vulnerability in the administrative interface.

That followed hot on the heels of another critical bug CVE-2022-39952 in the company's FortiNAC zero trust solution that allowed remote code execution as root.