Fortinet: Patched Critical Flaw May Have Been Exploited

Users urged to apply updates to FortiOS SSL-VPN after attackers may have leveraged a recently discovered vulnerability in attacks against government, manufacturing, and critical infrastructure organizations.

Attackers may have exploited a flaw in Fortinets FortiOS SSL-VPN in a limited number of cases that affected users in government, manufacturing, and critical infrastructure sectors.
Fortinet issued a fix for the vulnerability, tracked as
CVE-2023-27997
/
FG-IR-23-097
) and rated as critical, that its urging customers to apply as they monitor the situation, the company said in
a blog post
published this week.
Exploitation of the flaw can produce data loss and OS and file corruption for victims, which is why its imperative for customers affected to update systems, according to Fortinet.
If the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release, Carl Windsor, Fortinets senior vice president, product technology, wrote in the post. If the customer is not operating SSL-VPN the risk of this issue is mitigated — however, Fortinet still recommends upgrading.
The heap-based buffer overflow, pre-authentication vulnerability affects FortiOS and FortiProxy SSL-VPN and can allow unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests, according to Fortinet. FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 — released by the vendor on Friday — patch the vulnerability.
Fortinet found the flaw in an audit of its SSL-VPN platform after the
rampant exploitation
of another vulnerability,
CVE-2022-42475
— which
upon discovery
was a zero-day bug — in January.
This audit, together with a responsible disclosure from a third-party researcher, led to the identification of certain issues that have been remediated in the current firmware releases, Windsor wrote.
Though attackers used a previously identified Fortinet vulnerability —
FG-IR-22-377
/
CVE-2022-40684
— in the recently discovered
Volt Typhoon campaign
against US criticial infrastructure targets, Fortinet so far is not conclusively linking CVE-2023-27997 to this series of attacks, the company said in the post.
However, Fortinet claimed this does not preclude its use in the campaign, whether its currently being exploited, or if attackers will leverage it in the future.
Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices, Windsor wrote.
Discovered by Microsoft,
Volt Typhoon
is a series of attacks in which China-sponsored threat actors established persistent access within telecom networks and other critical infrastructure targets in the US.
Volt Typhoon attackers used
CVE-2022-40684
— an authentication bypass vulnerability found in Fortinet FortiOS and FortiProxy — for initial access, Fortinet confirmed. Indeed, Internet-facing Fortinet devices are a popular target for various threat actors as a way to gain a foothold into enterprise networks.
Specifically, Fortinet researchers discovered admin accounts named fortinet-tech-support and fortigate-tech-support in customer devices related to the Volt Typhoon campaign, the company said.
Our own research, conducted in collaboration with our customers, has identified that the Volt Typhoon campaign uses a variety of tactics, techniques, and procedures (TTPs) to gain access to networks, including a widely used technique known as living off the land to evade detection, Windsor wrote.
While applying product updates is the key way to avoid compromise, Fortinet made other suggestions to help affected organizations resolve the issue. One is to review systems for evidence of exploitation of previous Fortinet vulnerabilities, such as the one exploited by Volt Typhoon, the company said.
Minimizing the attack surface by disabling unused features and managing devices via an out-of-band method wherever possible can also help companies avoid being targeted in attacks that exploit existing vulnerabilities, according to Fortinet.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Fortinet: Patched Critical Flaw May Have Been Exploited