A critical vulnerability affecting FortiGate firewalls, tracked as CVE-2023-27997, has left more than 338,000 devices exposed to potential exploitation.
The flaw, which permits remote code execution, was patched by Fortinet in June. However, a large portion of affected devices remain unpatched and vulnerable.
Security firm Bishop Fox created a proof-of-concept exploit to demonstrate the seriousness of the vulnerability and to encourage administrators to update their systems.
Rated 9.8 out of 10 on the CVSS severity scale, the heap-based buffer overflow impacts FortiOS and FortiProxy devices when SSL‑VPN is enabled.
An attacker who successfully exploits the flaw can execute code remotely and gain control of network equipment. Bishop Fox has urged immediate patching to mitigate active risk.
Despite Fortinet publishing firmware updates and advising customers to apply them promptly, many devices remain unpatched and exposed.
Using internet-wide scans via Shodan.io, Bishop Fox identified nearly 490,000 Fortinet SSL‑VPN interfaces reachable from the internet. Approximately 69% of those—about 338,100 devices—were still running vulnerable, unpatched software.
Example exploit
Bishop Fox released an example exploit for CVE-2023-27997 to illustrate how the vulnerability can be abused.
The exploit technique they demonstrated involves corrupting the heap, connecting back to an attacker-controlled server, downloading a BusyBox binary, and spawning an interactive shell on the compromised device.
Bishop Fox reported their exploit was notably faster than an earlier proof-of-concept developed by Lexfo, an independent French security firm.
The vulnerability was originally discovered and privately disclosed to Fortinet by Charles Fol and Dany Bach of Lexfo. Fortinet released fixes on June 8, and Lexfo published details of the flaw and their exploit method on June 13.
CVE-2023-27997 represents a serious threat to network security. With hundreds of thousands of devices still unpatched, the potential for large-scale exploitation is significant. Administrators and Fortinet users should update firmware immediately and verify that SSL‑VPN interfaces are secured to prevent remote code execution attacks.
(Photo by FLY:D on Unsplash)
Want to learn more about cybersecurity and the cloud from industry leaders? Attend Cyber Security & Cloud Expo, held in Amsterdam, California, and London. The event is co-located with Digital Transformation Week.
Explore other upcoming enterprise technology events and webinars powered by TechForge.