FortiOS Remote Code Execution Vulnerability
Date of Notice: 07/12/2023
Action Level - Critical
Description
Fortinet has released updates to remediate a critical vulnerability impacting devices running certain versions of FortiOS and FortiProxy. If exploited it could allow a remote unauthenticated attacker to execute arbitrary code via crafted packets to the device. Due to the serious nature of the vulnerability we recommend investigating potentially impacted devices and updating to a fixed version if you are affected.
Affected Versions
- FortiOS 7.2.0 through 7.2.3
- FortiOS 7.0.0 through 7.0.10
- FortiProxy 7.2.0 through 7.2.2
- FortiProxy 7.0.0 through 7.0.9
Attack Vector
An attacker with network access to the Fortigate device
Attack Feasibility
There are currently no reported exploits for this vulnerability.
Mitigation
Administrators can mitigate this vulnerability by disabling HTTP/2 support on vulnerable firewall policies as described in the vendor advisory.
Remediation
Update to a current supported version of FortiOS.
Vendor Resources