Fortinet on Monday (June 12) disclosed that a newly patched critical flaw impacting FortiOS and FortiProxy may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors.
The vulnerability, tracked as CVE-2023-27997 (CVSS score: 9.2), concerns a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
LEXFO security researchers Charles Fol and Dany Bach have been credited with discovering and reporting the flaw. It was addressed by Fortinet on June 9, 2023 in the following versions -
FortiOS-6K7K version 7.0.12 or above
FortiOS-6K7K version 6.4.13 or above
FortiOS-6K7K version 6.2.15 or above
FortiOS-6K7K version 6.0.17 or above
FortiProxy version 7.2.4 or above
FortiProxy version 7.0.10 or above
FortiProxy version 2.0.13 or above
FortiOS version 7.4.0 or above
FortiOS version 7.2.5 or above
FortiOS version 7.0.12 or above
FortiOS version 6.4.13 or above
FortiOS version 6.2.14 or above, and
FortiOS version 6.0.17 or above
The company, in an independent disclosure, said the issue was simultaneously discovered during a code audit that was prudently initiated following the active exploitation of a similar flaw in the SSL-VPN product (CVE-2022-42475, CVSS score: 9.3) in December 2022.
Read the full article HERE