Wednesday, May 21, 2025
HomeCyber Security NewsOver 300,000+ Fortinet Firewalls are Vulnerable to a Critical RCE Flaw

Over 300,000+ Fortinet Firewalls are Vulnerable to a Critical RCE Flaw

Published on

SIEM as a Service

Follow Us on Google News

The latest research shows Fortigate firewalls are vulnerable to remote code execution attempts.

490,000 affected SSL VPN interfaces are exposed on the internet, and roughly 69% are currently unpatched.

Bishop Fox internally developed an exploit for CVE-2023-27997, a heap overflow in FortiOS—the OS behind FortiGate firewalls—that allows remote code execution. 

- Advertisement - Google News

CVE-2023-27997 is a heap-based buffer overflow in FortiGate’s SSL VPN component, which has been demonstrated to be exploitable for pre-authentication RCE.

Fortinet released patches and a workaround to fix the vulnerability.

Fortinet Firewall Exploit

Remote code execution via CVE-2023-27997 on FortiGate FGVM64 version 7.2.4
Remote code execution via CVE-2023-27997 on FortiGate FGVM64 version 7.2.4

The exploit can smash the heap, connect back to an attacker-controlled server, download a BusyBox binary, and open an interactive shell. 

This exploits very closely follows the steps detailed in the original blog post by Lexfo, which runs in approximately one second.

Below query on Shodan CLI returns nearly 490,000 exposed SSL VPN interfaces issued to Fortigate Firewall.

$ shodan count '"Server: xxxxxxxx-xxxxx" http.html: "top.location=/remote/login"'
489337

335,923 Unpatched Devices

Below, a search on Shodan for the last two months in the Last-Modified HTTP response header can find devices that’ve been patched.

In the following query, we assume that half of the devices with May-based installations are patched (there are some overlapping versions in this timeframe), and all of the June-based installations are patched.

$ seq 01 31 |
parallel 'printf "2023-05-%02d\n2023-06-%02d\n" {} {}' |
parallel 'date -d {} "+Last-Modified: %a, %d %b %Y" 2>/dev/null' |
parallel --bar 'shodan count "\"Server: xxxxxxxx-xxxxx\" http.html:\"top.location=/remote/login\" \"{}\"" | tr "\n" " "; echo {}' |
awk '{if ($0 ~ /May/) {SUM += $1 / 2} else {SUM += $1}} END {print SUM}'
153414

According to the results, only 153,414 devices on the internet are patched, which leaves 335,923 / 489,337 = 69% unpatched.

FortiOS installations of versions 5,6, and 7

Further analysis of the team has revealed that there are lots of version 7 (released in early 2021) and a ton of version 6, which is gradually reaching the end of its life.

“AI-based email security measures Protect your business From Email Threats!” – .

Latest articles

Hazy Hawk Targets DNS Vulnerabilities to Hijack Cloud Resources and Spread Malware

The threat actor gained attention in February 2025 after successfully hijacking a subdomain of...

Critical VMware ESXi & vCenter Flaw Allows Remote Execution of Arbitrary Commands

VMware by Broadcom has released critical security updates to address multiple severe vulnerabilities affecting...

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hazy Hawk Targets DNS Vulnerabilities to Hijack Cloud Resources and Spread Malware

The threat actor gained attention in February 2025 after successfully hijacking a subdomain of...

Critical VMware ESXi & vCenter Flaw Allows Remote Execution of Arbitrary Commands

VMware by Broadcom has released critical security updates to address multiple severe vulnerabilities affecting...

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...