Fortinet Security Update - 12 June 2023

131/2023
Critical
June 12, 2023
3:15 pm

Fortinet has released a security update to fix a critical SSL-VPN RCE vulnerability in multiple FortiOS firmware versions.

The addressed vulnerability could allow the attacker to execute arbitrary code, and gain access by sending a specially crafted request to the affected products.

The addressed vulnerability:

Fortinet FortiGate and FortiOS Code Execution (CVE-2023-27997):

CVSS: 9.8
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Consequences: Gain Access

It should be highlighted that the flaw has been fixed in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

Vulnerabilities

CVE-2023-27997

Mitigations

The enterprise should check with the vendor for the latest patch versions released to every product individually and apply it as soon as the testing phase is completed.

FortiOS Released Notes Version 6.2.15.
FortiOS Released Notes Version 6.4.13.
FortiOS Released Notes Version 7.0.12.
FortiOS Released Notes Version 7.2.5.

References

FortiOS Released Notes Version 6.2.15.
FortiOS Released Notes Version 6.4.13.
FortiOS Released Notes Version 7.0.12.
FortiOS Released Notes Version 7.2.5.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.