FortiOS Remote Code Execution Vulnerability (June 2023)
Date of Notice: 06/12/2023
Action Level - Critical
Description
Fortinet has released FortiOS updates to remediate a critical vulnerability affecting the SSL VPN functionality of Fortigate devices. If exploited it could allow a remote unauthenticated attacker to interfere via VPN, even if MFA is activated on the device. Due to the serious nature of the vulnerability we recommend investigating potentially impacted devices and updating to a fixed version if you are affected.
Fixed Versions
- FortiOS 6.0.17
- FortiOS 6.2.15
- FortiOS 6.4.13
- FortiOS 7.0.12
- FortiOS 7.2.5
Note: all SSL VPN appliances running versions older than the fixed versions listed above are vulnerable to this attack.
Attack Vector
Any attacker with network access to the Fortigate device, whether they have authentication and MFA credentials or not
Attack Feasibility
There are currently no known exploits for this vulnerability, but one is expected shortly.
Mitigation
There are no known mitigations for this vulnerability
Remediation
Update to a current supported version of FortiOS.
Other Resources
Bleeping Computer : Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now
Security Week : Fortinet Patches Critical FortiGate SSL VPN Vulnerability