Cyber Security News

Over 300,000+ Fortinet Firewalls are Vulnerable to a Critical RCE Flaw

The latest research shows Fortigate firewalls are vulnerable to remote code execution attempts.

490,000 affected SSL VPN interfaces are exposed on the internet, and roughly 69% are currently unpatched.

Bishop Fox internally developed an exploit for CVE-2023-27997, a heap overflow in FortiOS—the OS behind FortiGate firewalls—that allows remote code execution. 

CVE-2023-27997 is a heap-based buffer overflow in FortiGate’s SSL VPN component, which has been demonstrated to be exploitable for pre-authentication RCE.

Fortinet released patches and a workaround to fix the vulnerability.

Fortinet Firewall Exploit

Remote code execution via CVE-2023-27997 on FortiGate FGVM64 version 7.2.4

The exploit can smash the heap, connect back to an attacker-controlled server, download a BusyBox binary, and open an interactive shell. 

This exploits very closely follows the steps detailed in the original blog post by Lexfo, which runs in approximately one second.

Below query on Shodan CLI returns nearly 490,000 exposed SSL VPN interfaces issued to Fortigate Firewall.

$ shodan count '"Server: xxxxxxxx-xxxxx" http.html: "top.location=/remote/login"'

335,923 Unpatched Devices

Below, a search on Shodan for the last two months in the Last-Modified HTTP response header can find devices that’ve been patched.

In the following query, we assume that half of the devices with May-based installations are patched (there are some overlapping versions in this timeframe), and all of the June-based installations are patched.

$ seq 01 31 |
parallel 'printf "2023-05-%02d\n2023-06-%02d\n" {} {}' |
parallel 'date -d {} "+Last-Modified: %a, %d %b %Y" 2>/dev/null' |
parallel --bar 'shodan count "\"Server: xxxxxxxx-xxxxx\" http.html:\"top.location=/remote/login\" \"{}\"" | tr "\n" " "; echo {}' |
awk '{if ($0 ~ /May/) {SUM += $1 / 2} else {SUM += $1}} END {print SUM}'

According to the results, only 153,414 devices on the internet are patched, which leaves 335,923 / 489,337 = 69% unpatched.

FortiOS installations of versions 5,6, and 7

Further analysis of the team has revealed that there are lots of version 7 (released in early 2021) and a ton of version 6, which is gradually reaching the end of its life.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.


Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.

Recent Posts

Cryptojacking Campaign Infected Online Thesaurus With Over 5 Million Visitors

Students, authors, and anybody else wishing to improve their vocabulary and language abilities frequently utilize…

1 day ago

Gold Melody Attacking Organizations With Burp Extension, Mimikatz, and Other Tools

The financially motivated GOLD MELODY threat group has been active at least since 2017, attacking…

2 days ago

MOVEit Transfer SQL Injection Let the Attacker Gain Unauthorized Access to the Database

MOVEit transfer service pack has been discovered with three vulnerabilities associated with SQL injections (2)…

2 days ago

LUCR-3 Attacking Fortune 2000 Companies Using Victims’ Own Tools & Apps

A new financially motivated threat group named “LUCR-3” has been discovered targeting organizations to steal…

2 days ago

Is QakBot Malware Officially Dead?

Only a few malware families can claim to have persisted for nearly twenty years, and…

2 days ago

System Admin Pleads Guilty for Selling Pirated Business Phone Software Licenses

For taking part in a large international scheme to earn millions of dollars by selling pirated…

2 days ago