FortiOS Remote Code Execution Vulnerability (June 2023)
Date of Notice: 06/12/2023
Action Level - Critical
Fortinet has released FortiOS updates to remediate a critical vulnerability affecting the SSL VPN functionality of Fortigate devices. If exploited it could allow a remote unauthenticated attacker to interfere via VPN, even if MFA is activated on the device. Due to the serious nature of the vulnerability we recommend investigating potentially impacted devices and updating to a fixed version if you are affected.
- FortiOS 6.0.17
- FortiOS 6.2.15
- FortiOS 6.4.13
- FortiOS 7.0.12
- FortiOS 7.2.5
Note: all SSL VPN appliances running versions older than the fixed versions listed above are vulnerable to this attack.
Any attacker with network access to the Fortigate device, whether they have authentication and MFA credentials or not
There are currently no known exploits for this vulnerability, but one is expected shortly.
There are no known mitigations for this vulnerability
Update to a current supported version of FortiOS.