H-ISAC TLP White Vulnerability Bulletin: Fortinet FortiGate SSL VPN Critical Remote Code Execution (RCE) Flaw

On June 12, Fortinet issued a PSIRT advisory and a blog post on a critical heap-based buffer overflow vulnerability in SSL-VPN pre-authentication, that was speculated to be a trigger for the latest security updates. The vulnerability tracked as CVE-2023-27997, permits unauthenticated remote code execution (RCE) on the compromised machine. The flaw was discovered through a proactive code review of the SSL-VPN module.

According to Fortinet’s blog post, the investigation discovered that the vulnerability was potentially exploited on multiple occasions in attacks targeting government, manufacturing and critical infrastructure organizations. Vulnerabilities that allow authentication bypass are a common target for threat actors that utilize them as an entry point, therefore caution is advised. In prior exploitation cases, Fortinet recognized admin accounts with the names 'fortinet-tech-support' and 'fortigate-tech-support' as indicators of compromise (IoCs) on infected devices, and they may be worth monitoring in this case as well.

View the detailed report below.