On June 12, 2023, Fortinet published an advisory for CVE-2023-27997, a critical heap-based buffer overflow vulnerability in FortiOS SSL VPN. The vulnerability allowed pre-authentication remote code execution — meaning an attacker could fully compromise a FortiGate firewall without any credentials, just by sending specially crafted HTTPS requests to the SSL VPN portal.
With Fortinet being one of the world's largest firewall vendors and hundreds of thousands of FortiGate devices exposed to the internet, this vulnerability had the potential to be as impactful as the MOVEit breach unfolding at the same time.
The Vulnerability
CVE-2023-27997 is a heap-based buffer overflow in the SSL VPN functionality of FortiOS and FortiProxy. The vulnerability exists in the handling of specific HTTP requests by the SSL VPN web portal.
Key characteristics:
- Pre-authentication: No credentials needed to exploit
- Remote: Exploitable over the internet
- CVSS Score: 9.8 (Critical)
- Affected versions: FortiOS 6.0.x through 7.2.x, FortiProxy 2.x through 7.2.x
The heap overflow occurs during the processing of SSL VPN login requests. By sending a specially crafted request, an attacker can overflow a heap buffer and gain control of program execution, ultimately achieving remote code execution as root on the FortiGate device.
The Discovery
The vulnerability was discovered by French security researchers Charles Fol and Dany Bach (DDXhunter) from Lexfo. They demonstrated a reliable exploit that achieved remote code execution on FortiGate devices through the SSL VPN portal.
The researchers responsible-disclosed the vulnerability to Fortinet, giving them time to develop patches before public disclosure. However, evidence suggested that exploitation may have begun before patches were available.
Why This Is a Supply Chain Problem
FortiGate firewalls are network infrastructure — they sit at the boundary of corporate networks and control all traffic flowing in and out. Compromising a FortiGate device gives an attacker:
Full Network Access
The firewall has visibility into all network traffic and can be configured to allow the attacker to access any internal resource.
VPN User Credentials
FortiGate devices with SSL VPN store user credentials for VPN authentication. A compromised device can capture credentials for every VPN user, providing the attacker with legitimate access to the network.
Persistence
Sophisticated attackers can modify FortiGate firmware to maintain persistence across reboots and firmware updates. This was seen in previous Fortinet attacks by Chinese threat actors (documented by Mandiant in March 2023).
Lateral Movement Platform
A compromised firewall provides an ideal platform for lateral movement — it has network access to everything, and its traffic is expected.
Supply Chain Pivot
Organizations that manage multiple FortiGate devices (MSSPs, IT service providers) could see a single compromise cascade to all their managed customers.
The Exposure Surface
At the time of disclosure, Shodan and other internet scanning services identified:
- 300,000-500,000 FortiGate devices with SSL VPN portals exposed to the internet
- Devices spread across every country and every sector
- Many devices running firmware versions years out of date
The exposure surface for this vulnerability was massive. Every FortiGate device with SSL VPN enabled and accessible from the internet was potentially vulnerable.
Fortinet's Pattern
CVE-2023-27997 was not Fortinet's first critical vulnerability in a short timespan:
- CVE-2022-42475 (December 2022): Critical heap overflow in SSL VPN, exploited in the wild by Chinese APTs
- CVE-2022-40684 (October 2022): Authentication bypass allowing admin access
- CVE-2023-27997 (June 2023): Heap overflow in SSL VPN
This pattern of critical vulnerabilities in internet-facing features raised questions about the security of Fortinet's codebase, particularly the SSL VPN implementation.
The FortiOS Firmware Challenge
FortiOS is a proprietary operating system based on a custom Linux kernel. The SSL VPN component is written in C, with all the memory safety challenges that implies. Unlike web applications that can be updated by deploying new containers, FortiGate firmware updates require:
- Downloading the firmware from Fortinet
- Testing compatibility with the specific hardware
- Scheduling a maintenance window
- Applying the update (which requires a reboot)
- Verifying the update was successful
This process takes days to weeks in most organizations, leaving a significant window of exposure.
Patching Challenges
Even after patches were available, organizations faced significant hurdles:
Testing: Updating a firewall's firmware can break existing configurations, VPN connectivity, and security policies. Organizations need to test before deploying.
Downtime: Firmware updates require a reboot, meaning a brief network outage or failover.
Scale: Large organizations may have hundreds of FortiGate devices across multiple locations, each requiring individual attention.
Legacy devices: Some FortiGate devices were running firmware versions so old that the upgrade path wasn't straightforward.
Recommendations
Patch Immediately
Despite the testing and downtime challenges, the risk of exploitation outweighed the risk of patching issues. Organizations were advised to patch as an emergency.
Restrict SSL VPN Access
If immediate patching wasn't possible:
- Restrict SSL VPN access to known IP ranges
- Disable SSL VPN if it's not actively needed
- Monitor SSL VPN logs for anomalous activity
Check for Compromise
After patching, check for signs of exploitation:
- Unusual admin accounts
- Modified firmware or configurations
- Unexpected outbound connections
- FortiGate system integrity check results
Long-Term Strategy
Consider whether perimeter VPN is still the right architecture. Zero-trust network access (ZTNA) solutions reduce the attack surface by not exposing VPN portals to the internet.
How Safeguard.sh Helps
Safeguard.sh helps organizations manage the risks from critical infrastructure vulnerabilities:
- Infrastructure Vulnerability Monitoring: Safeguard.sh tracks CVEs across your infrastructure, including network appliances like FortiGate, alerting you immediately when critical vulnerabilities are disclosed.
- Exposure Assessment: Safeguard.sh helps you understand which systems in your environment are affected by new vulnerabilities, including tracking firmware versions across your infrastructure inventory.
- Patch Tracking: Safeguard.sh monitors your remediation progress for critical vulnerabilities, ensuring nothing falls through the cracks during emergency patching.
- Supply Chain Risk Assessment: Safeguard.sh evaluates your dependency on specific vendors and products, helping you identify concentration risks like heavy reliance on a single firewall vendor.
CVE-2023-27997 was a reminder that network infrastructure is software, and software has vulnerabilities. The question is whether you have the visibility and processes to respond quickly when those vulnerabilities are discovered.