Fortinet FortiProxy CVE-2023-25610: Buffer Underwrite in Network Security Infrastructure

In March 2023, Fortinet disclosed CVE-2023-25610, a buffer underwrite vulnerability in the administrative interface of FortiOS and FortiProxy. Rated CVSS 9.3, the vulnerability allowed unauthenticated attackers to execute arbitrary code or cause denial of service on affected devices. Coming on the heels of CVE-2022-42475 (a heap-based buffer overflow exploited by Chinese APT groups) and CVE-2022-40684 (an authentication bypass), this was the third critical Fortinet vulnerability in roughly six months. The pattern was becoming impossible to ignore.

The Vulnerability

CVE-2023-25610 is a buffer underwrite (also known as buffer underflow) vulnerability in the administrative interface of FortiOS and FortiProxy. A buffer underwrite occurs when a program writes data before the beginning of an allocated buffer, corrupting adjacent memory structures.

The vulnerability exists in the way the administrative web interface processes certain HTTP requests. An unauthenticated attacker can send a specially crafted request that triggers the buffer underwrite, potentially overwriting function pointers or other critical data structures in memory.

Depending on the specific hardware model, exploitation could result in:

• Remote code execution: On most FortiGate models, the buffer underwrite can be exploited to achieve arbitrary code execution
• Denial of service: On certain hardware models with specific memory layouts, the corruption causes a crash rather than controlled code execution

Fortinet listed approximately 50 hardware models that were limited to denial-of-service impact, while the remaining models were potentially vulnerable to full code execution.

The affected versions were extensive:

• FortiOS 7.2.0 through 7.2.3
• FortiOS 7.0.0 through 7.0.9
• FortiOS 6.4.0 through 6.4.11
• FortiOS 6.2.0 through 6.2.12
• All versions of FortiOS 6.0
• FortiProxy 7.2.0 through 7.2.2
• FortiProxy 7.0.0 through 7.0.8
• FortiProxy 2.0.0 through 2.0.11
• All versions of FortiProxy 1.2 and 1.1

This covered essentially every supported version of FortiOS and FortiProxy, affecting millions of devices worldwide.

The Fortinet Vulnerability Cascade

CVE-2023-25610 was part of a disturbing pattern of critical vulnerabilities in Fortinet products:

CVE-2022-40684 (October 2022): Authentication bypass in FortiOS and FortiProxy, allowing unauthenticated administrative access. CVSS 9.6. Actively exploited in the wild.

CVE-2022-42475 (December 2022): Heap-based buffer overflow in FortiOS SSL-VPN, allowing unauthenticated RCE. CVSS 9.3. Exploited by Chinese APT groups in targeted campaigns against government organizations.

CVE-2023-25610 (March 2023): Buffer underwrite in FortiOS and FortiProxy administrative interface. CVSS 9.3.

CVE-2023-27997 (June 2023): Heap-based buffer overflow in FortiOS SSL-VPN. CVSS 9.2. Another pre-authentication RCE.

Four critical vulnerabilities in nine months, all in the same product family, all allowing unauthenticated remote access. Organizations that patched one vulnerability were immediately faced with the next.

Why the Administrative Interface Was Exposed

The immediate question is: why are FortiGate administrative interfaces accessible from the internet?

The answer is pragmatic. Many organizations manage distributed networks with FortiGate appliances at multiple locations. Centralized management requires network accessibility. While Fortinet provides FortiManager for centralized management, many smaller organizations manage their FortiGate devices directly through the web interface.

Additionally, some organizations configure the administrative interface on the same interface as the VPN, making it inadvertently accessible from the internet. Default configurations don't always enforce separation between management and data-plane traffic.

Shodan consistently identifies hundreds of thousands of FortiGate administrative interfaces accessible from the internet. This is the attack surface that CVE-2023-25610 threatened.

Mitigation and Response

Fortinet's advisory recommended:

1. Upgrade to fixed versions: FortiOS 7.4.0 or later, 7.2.4 or later, 7.0.10 or later, 6.4.12 or later, 6.2.13 or later; FortiProxy 7.2.3 or later, 7.0.9 or later, 2.0.12 or later

2. Disable HTTP/HTTPS administrative interface: As a workaround, disabling the administrative interface prevents exploitation. This is effective but removes the ability to manage the device through the web interface.

3. Limit IP addresses for administrative access: Configuring trusted-host settings to restrict administrative access to specific IP addresses reduces the attack surface even if the interface remains exposed.

CISA did not immediately add CVE-2023-25610 to its KEV catalog, suggesting that active exploitation had not been confirmed at the time of disclosure. However, given the pattern of exploitation targeting previous Fortinet vulnerabilities, exploitation was widely expected.

The Bigger Picture for Network Security Appliances

The repeated discovery of critical vulnerabilities in Fortinet products — and in network security appliances generally — raises fundamental questions about how these devices are built and secured.

Memory Safety

CVE-2023-25610 (buffer underwrite), CVE-2022-42475 (heap overflow), and CVE-2023-27997 (heap overflow) are all memory safety vulnerabilities. They exist because the underlying code is written in memory-unsafe languages (primarily C) without adequate bounds checking.

The cybersecurity industry increasingly recognizes that memory safety is a foundational security requirement. CISA's Secure by Design initiative specifically calls out the use of memory-safe programming languages as a key technical measure. Network appliance vendors, who build some of the most security-critical infrastructure, have been slow to adopt these practices.

Security of Security Products

There's a painful irony in finding critical vulnerabilities in products designed to provide security. Firewalls, VPN gateways, and proxy servers are security infrastructure. When they're compromised, the entire security model collapses.

Yet these products face the same development pressures as any other software: feature velocity, backward compatibility, time-to-market, and cost constraints. Security is a feature they sell, but it's not always a priority in their own development practices.

Vendor Transparency

Fortinet has faced criticism for its vulnerability disclosure practices. Some vulnerabilities were patched in firmware updates without clear security advisories. Others were disclosed only after researchers or attackers had already published details. This lack of transparency makes it harder for customers to prioritize patching and assess their risk.

How Safeguard.sh Helps

Safeguard.sh provides critical capabilities for managing the ongoing stream of network appliance vulnerabilities:

• Appliance Firmware Tracking: Safeguard.sh monitors firmware versions across your Fortinet deployment, immediately identifying devices affected by new CVEs like CVE-2023-25610.
• Vulnerability Cascade Management: When multiple critical vulnerabilities appear in rapid succession, Safeguard.sh helps track remediation across all CVEs, ensuring no vulnerability falls through the cracks.
• Exposure Assessment: Safeguard.sh identifies which devices have internet-exposed management interfaces, highlighting the most critical patch targets.
• Remediation Prioritization: With dozens of affected firmware versions and multiple upgrade paths, Safeguard.sh helps prioritize which devices to patch first based on exposure and risk.

The Fortinet vulnerability cascade proved that security infrastructure needs security management. Safeguard.sh ensures your perimeter defenses are as well-protected as the networks they guard.