69% of FortiGate firewalls vulnerable to critical unpatched RCE vulnerability CVE-2023-27997

Stop - Pixabay[German]Is unpatched FortiGate firewalls creating a new cyber risk? Experts are sounding the alarm because something like 70% of FortiGate firewalls are vulnerable to attack via the critical CVE-2023-27997 vulnerability. More than 336,000 servers are reported to be unprotected through the firewall (e.g. via VPN) as a result. Fortinet has already closed the vulnerability in its FortiGate firewalls in June 2023 through firmware updates. However, this did not reach the administrators, also due to poor communication.


FortiGate firewall vulnerability CVE-2023-27997

I had reported on the critical RCE bug (CVE-2023-27997) in Fortigate SSL VPNs as of June 12, 2023, following a reader advisory, in the blog post Fortinet fixes critical RCE bug in Fortigate SSL VPNs (June 2023). The vulnerability allows an attacker to infiltrate through the VPN even if MFA is enabled.

Fortinet had released security updates for FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12 and 7.2.5 to address this vulnerability that allows remote code execution in the firewalls.

However, Fortinet was accused of unfortunate communication from administrators because some readers only learned of the vulnerability through my blog post. There was no timely PSIRT release from Fortinet warning of the critical vulnerability. The security specialists at OLYMPE pointed out the updates that close the critical vulnerability. I had also included this in the above post. There is an analysis of the vulnerability in this article – if anyone is interested.

The consequence: Unpatched Firewalls

The communication chaos caused by Fortinet outlined above is not without consequences. Security researchers are sounding the alarm because a good 70 percent of FortiGate firewalls are vulnerable to attack via the CVE-2023-27997 vulnerability.

FortiGate Firewall-Schwachstelle CVE-2023-27997


For example, The Record Media picked it up in the above tweet as well as in this article. Security experts at security firm Bishop Fox have developed an exploit for CVE-2023-27997 and state that it will expire within one second. A blog post by the security researchers states, "There are 490,000 affected SSL VPN interfaces on the Internet, and about 69% of them are currently unpatched. You should patch your interfaces now."

The Shodan search engine threw out to the security researchers around 250,000 FortiGate installations that reachedar his via the Internet. From this, the researchers came up with the above figure of 490,000 affected SSL VPN interfaces. If only 69% of FortiGate instances are patched, this brings the number of servers vulnerable to this critical vulnerability to around 336,000, as mentioned by Arstechnica in this article.

Firewalls are widely deployed in government agencies, ministries and industry. The poor patch status is an invitation for cybercriminals to penetrate networks via vulnerabilities. These attack vectors have certainly been exploited by cybercriminals in the past for attacks on authorities or governments.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *