A patch for a reachable pre-authentication RCE vulnerability, CVE-2023-27997, was quietly added to the release of updates being published 6/9/2023 by Fortinet. The vulnerability affects all Fortinet devices with SSL-VPN enabled, so if you are using SSL-VPN services on a Fortigate device, then you need to apply the patches that were released on 6/9 ASAP. A Shodan search suggests as many as 250,000 FortiGate firewalls can be reached from the internet, though it is unclear the actual scope until Fortinet publishes the full advisories for the released patches.
The vulnerability, which was identified by Charles Fol and Dany Bach of Lexfo Security, allows an attacker to perform unauthorized activities on all affected devices. The exploit of the vulnerability allows Remote Code Execution without authentication, even if MFA is enforced. More details of the vulnerability will be published by Fol and Bach once Fortigate customers have been given time to apply the patches.
If you have a Fortinet device with SSL-VPN enabled on it patch it now!
Articles about the Vulnerability:
https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/
https://www.securityweek.com/fortinet-patches-critical-fortigate-ssl-vpn-vulnerability/
Charles Fol’s Twitter post regarding the patch:
https://twitter.com/cfreal_/status/1667852157536616451?cxt=HHwWhoC2veuss6UuAAAA
MITRE Place Holder for CVE details (Will contain the details once they are released): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27997
