Monday, May 19, 2025
HomeCyber Security NewsOver 300,000+ Fortinet Firewalls are Vulnerable to a Critical RCE Flaw

Over 300,000+ Fortinet Firewalls are Vulnerable to a Critical RCE Flaw

Published on

SIEM as a Service

Follow Us on Google News

The latest research shows Fortigate firewalls are vulnerable to remote code execution attempts.

490,000 affected SSL VPN interfaces are exposed on the internet, and roughly 69% are currently unpatched.

Bishop Fox internally developed an exploit for CVE-2023-27997, a heap overflow in FortiOS—the OS behind FortiGate firewalls—that allows remote code execution. 

- Advertisement - Google News

CVE-2023-27997 is a heap-based buffer overflow in FortiGate’s SSL VPN component, which has been demonstrated to be exploitable for pre-authentication RCE.

Fortinet released patches and a workaround to fix the vulnerability.

Fortinet Firewall Exploit

Remote code execution via CVE-2023-27997 on FortiGate FGVM64 version 7.2.4
Remote code execution via CVE-2023-27997 on FortiGate FGVM64 version 7.2.4

The exploit can smash the heap, connect back to an attacker-controlled server, download a BusyBox binary, and open an interactive shell. 

This exploits very closely follows the steps detailed in the original blog post by Lexfo, which runs in approximately one second.

Below query on Shodan CLI returns nearly 490,000 exposed SSL VPN interfaces issued to Fortigate Firewall.

$ shodan count '"Server: xxxxxxxx-xxxxx" http.html: "top.location=/remote/login"'
489337

335,923 Unpatched Devices

Below, a search on Shodan for the last two months in the Last-Modified HTTP response header can find devices that’ve been patched.

In the following query, we assume that half of the devices with May-based installations are patched (there are some overlapping versions in this timeframe), and all of the June-based installations are patched.

$ seq 01 31 |
parallel 'printf "2023-05-%02d\n2023-06-%02d\n" {} {}' |
parallel 'date -d {} "+Last-Modified: %a, %d %b %Y" 2>/dev/null' |
parallel --bar 'shodan count "\"Server: xxxxxxxx-xxxxx\" http.html:\"top.location=/remote/login\" \"{}\"" | tr "\n" " "; echo {}' |
awk '{if ($0 ~ /May/) {SUM += $1 / 2} else {SUM += $1}} END {print SUM}'
153414

According to the results, only 153,414 devices on the internet are patched, which leaves 335,923 / 489,337 = 69% unpatched.

FortiOS installations of versions 5,6, and 7

Further analysis of the team has revealed that there are lots of version 7 (released in early 2021) and a ton of version 6, which is gradually reaching the end of its life.

“AI-based email security measures Protect your business From Email Threats!” – .

Latest articles

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on...

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence...

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also...

Health Care Data Breach Costs BreachForums Admin $700,000 Fine

Conor Brian Fitzpatrick, the 22-year-old former administrator of cybercrime forum Breachforums, will forfeit approximately...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on...

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence...

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also...