Hacking Fortinet’s Fortigate firewalls to install a ransomware is quite possible

FortiOS is the operating system and firmware that powers Fortinet’s Fortigate firewalls and other devices. Fortinet has issued many versions of FortiOS without noting that they contain a patch for CVE-2023-27997, a security vulnerability that allows remote code execution (RCE) and does not need the attacker to be logged in to exploit it.


At this time, the specific nature of the security vulnerability is not disclosed to the general public. According to experts, Fortinet is planning to provide further information on the following Tuesday, June 13, 2023.

They claim that the vulnerability is severe, that it impacts the operation of the SSL VPN provided by the Fortigate firewall, and that it may make it possible for an attacker to “interfere via the VPN, even if MFA is activated.”

The bug, indicate that CVE-2023-27997 permits RCE, is “reachable pre-authentication, on every SSL VPN appliance,” and that they would be providing further information at a later time.

The security flaw has been patched in FortiOS versions 7.2.5, 7.0.12, 6.4.13, and 6.2.15, and it seems to have been resolved in v6.0.17 as well (despite the fact that Fortinet officially discontinued supporting the 6.0 branch of software a year ago).

It is strongly recommended that enterprise administrators update their Fortigate devices as soon as humanly feasible. If the vulnerability is not currently being exploited by attackers, it is quite probable that it will be in the near future. At this time, there is no discussion of any potential workarounds.Unfortunately for business defenders, threat actors are able to examine newer versions of the operating system in comparison to previous versions in order to determine what the patch accomplishes and, based on that knowledge, construct an exploit that is really functional.

In the past, a common point of focus for attackers was the existence of vulnerabilities in Fortigate firewalls. In addition, it is fairly uncommon for Fortinet to provide major updates without first reporting vulnerabilities, regardless of whether or not such vulnerabilities are being actively exploited. The fix should consequently be implemented as quickly as possible by enterprise administrators, and they should act quickly.