A Critical Code Execution Flaw Found in FortiOS and FortiProxy Administrative Interfaces

9 March 2023 [NO.TCSA : 20230309-1-1-P]

PUBLISHED:
9 March 2023

A Critical Code Execution Flaw Found in FortiOS and FortiProxy Administrative Interfaces

A critical vulnerability with CVSSv3 score of 9.3 (critical) has been discovered in FortiOS and FortiProxy administrative interfaces that could allow an attacker to execute arbitrary code or cause a denial of service (DoS) attack. The vulnerability, identified as CVE-2023-25610, is caused by a heap buffer underflow issue that occurs when processing user-supplied data.

TechCERT has observed a concerning trend among many organizations who keep their Fortinet administration portals open to the internet, despite this being a violation of recommended security best practices. Although there have been no reports of active exploitation of this vulnerability at this time, the risk of potential future exploits is significantly increased due to administrative portals are globally accessible from the internet.

Affected Versions

The following versions of FortiOS and FortiProxy are affected by this vulnerability:

  • FortiOS version 7.2.0 through 7.2.3
  • FortiOS version 7.0.0 through 7.0.9
  • FortiOS version 6.4.0 through 6.4.11
  • FortiOS version 6.2.0 through 6.2.12
  • FortiOS 6.0 all versions
  • FortiProxy version 7.2.0 through 7.2.2
  • FortiProxy version 7.0.0 through 7.0.8
  • FortiProxy version 2.0.0 through 2.0.11
  • FortiProxy 1.2 all versions
  • FortiProxy 1.1 all versions

Mitigation

Fortinet has released patches to address this vulnerability:

  • Upgrade to FortiOS version 7.4.0 or above
  • Upgrade to FortiOS version 7.2.4 or above
  • Upgrade to FortiOS version 7.0.10 or above
  • Upgrade to FortiOS version 6.4.12 or above
  • Upgrade to FortiOS version 6.2.13 or above
  • Upgrade to FortiProxy version 7.2.3 or above
  • Upgrade to FortiProxy version 7.0.9 or above
  • Upgrade to FortiProxy version 2.0.12 or above
  • Upgrade to FortiOS-6K7K version 7.0.10 or above
  • Upgrade to FortiOS-6K7K version 6.4.12 or above
  • Upgrade to FortiOS-6K7K version 6.2.13 or abovelater.

Users are advised to test and update to the latest patched versions as soon as possible.

More Information

16 April 2024 [NO.TCSA : 20240416-1-1-P]

Critical Command Injection Vulnerability Found in Palo Alto Networks GlobalProtect

READ MORE READ MORE
9 February 2024 [NO.TCSA : 20240209-1-1-P]

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

READ MORE READ MORE
13 July 2023 [NO.TCSA : 20230713-1-1-P]

Fortinet Patches Critical Remote Code Execution Vulnerability in FortiOS/FortiProxy

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN