IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2023-27997|Auth: none — unauthenticated|Reboot: required|Est. 30 minutes including device restart|Manual only

Fortinet FortiGate < 7.2.5 — RCE

A heap overflow in the FortiGate SSL-VPN web management interface allows unauthenticated remote code execution. Upgrade FortiOS to 6.0.17 / 6.2.15 / 6.4.13 / 7.0.12 / 7.2.5 or later immediately.

Published Jun 12, 2023 · Updated May 15, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Full unauthenticated code execution on the FortiGate firewall. An attacker can read VPN credentials, modify firewall rules, install backdoors, and pivot to the internal network through the device that is protecting it. This class of vulnerability has been used by ransomware groups to gain initial access to enterprise networks.

How the attack worksNo clicks needed

The SSL-VPN web management portal in FortiOS fails to validate memory bounds when processing certain HTTP requests. An unauthenticated attacker can send a crafted HTTP packet that overflows the heap, overwriting function pointers and achieving code execution on the FortiGate device. The exploit works against the internet-facing VPN portal.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

Network Security Team
Firewall Administrators
IT Security
Running FortiOS 6.0 < 6.0.17, 6.2 < 6.2.15, 6.4 < 6.4.13, 7.0 < 7.0.12, 7.2 < 7.2.5; FortiProxy 7.0 < 7.0.11, 7.2 < 7.2.4
Fixed inFortiOS 7.2.5 / 7.0.12 / 6.4.13 / 6.2.15 / 6.0.17
Real-world incidentsWhat we've seen

Mandiant identified exploitation of FortiOS SSL-VPN zero-days by a suspected China-linked actor (UNC3886) in June 2023. The group deployed custom malware (BOLDMOVE) on compromised FortiGate devices. CISA and FBI issued a joint advisory recommending immediate patching. Over 250,000 FortiGate devices were estimated to have internet-exposed SSL-VPN portals at the time of disclosure.

How to patch

Manual remediation steps

30 minutes including device restart

Check Current FortiOS Version

# From FortiGate CLI:
get system status
# Note the "Version" field

Immediate Mitigation (disable SSL-VPN)

# If SSL-VPN is not business-critical, disable it temporarily:
config vpn ssl settings
  set status disable
end

Apply the Firmware Upgrade

1
Log into FortiGate web UI or FortiManager
2
Navigate to System > Firmware & Registration
3
Select the appropriate patched version and upgrade
4
Or use the CLI:
execute restore image ftp <server> <filename>

Check for Indicators of Compromise

# Look for unexpected admin accounts
show system admin

# Check for recently modified system files
fnsysctl ls -la /data/lib
fnsysctl ls -la /data/bin

Verify Fixed Version

get system status | grep Version
# Must show 7.2.5+ / 7.0.12+ / 6.4.13+ / 6.2.15+ / 6.0.17+
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-27997NVD