06.12.2023

FortiOS Remote Code Execution Vulnerability (June 2023)

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 06/12/2023

Action Level - Critical

Description

Fortinet has released FortiOS updates to remediate a critical vulnerability affecting the SSL VPN functionality of Fortigate devices. If exploited it could allow a remote unauthenticated attacker to interfere via VPN, even if MFA is activated on the device. Due to the serious nature of the vulnerability we recommend investigating potentially impacted devices and updating to a fixed version if you are affected.

Fixed Versions

  • FortiOS 6.0.17
  • FortiOS 6.2.15
  • FortiOS 6.4.13
  • FortiOS 7.0.12
  • FortiOS 7.2.5

Note: all SSL VPN appliances running versions older than the fixed versions listed above are vulnerable to this attack.

Attack Vector

Any attacker with network access to the Fortigate device, whether they have authentication and MFA credentials or not

Attack Feasibility 

There are currently no known exploits for this vulnerability, but one is expected shortly.

Mitigation

There are no known mitigations for this vulnerability

Remediation

Update to a current supported version of FortiOS.

Other Resources

Bleeping Computer : Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now

Security Week : Fortinet Patches Critical FortiGate SSL VPN Vulnerability

<-- Return to Cybersecurity Alerts...

MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • twitter
  • facebook
  • youtube
© 2024 MCNC