Hundreds of Thousands of Fortinet FortiGate Firewalls Unpatched, Vulnerable to Attacks

Hundreds of thousands of Fortinet FortiGate firewalls remain vulnerable to a critical security issue, almost a month after the company released an update that addresses the problem.

The vulnerability, CVE-2023-27997, is a remote code execution (RCE) with a severity score of 9.8 out of 10. Bishop Fox, an offensive security provider, internally developed an exploit for CVE-2023-27997. There are 490,000 affected secure sockets layer (SSL) VPN interfaces exposed on the internet, and roughly 69% remain unpatched.

Caleb Gross, Bishop Fox‘s director of capability development, said his company’s analysis shows many Fortinet FortiGate firewalls have been patched for CVE-2022-42475, a similar critical-severity vulnerability disclosed in late 2022. But applying that software update might yield a false sense of confidence among FortiGate users.

Bishop Fox’s Caleb Gross

“Even if they patched as late as April, they’re still affected by CVE-2023-27997,” he said. “If exploited, an attacker could achieve RCE; for example, they can control the appliance. That includes manipulating firewall configuration, installing a covert implant, exfiltrating sensitive data, pivoting and accessing other unprotected servers inside the internal network, etc.”

Fortinet FortiGate Users Should Act Quickly

FortiGate users should prioritize patching as soon as possible, Gross said.

“Sometimes this is made more difficult if an IT team doesn’t closely manage their assets; for example, the subsidiary of a large company may own a firewall that the parent company is liable for, yet unaware of,” he said. “It’s also made more difficult if a vendor bundles feature updates with security updates, since a system administrator will additionally need to make sure that the feature change doesn’t break any existing functionality.”

In addition to being included in the Cybersecurity and Infrastructure Security (CISA) Known Exploited Vulnerabilities Catalog, Fortinet states in a blog that this vulnerability “may have been exploited in a limited number of cases,” Gross said.

We couldn’t reach Fortinet for comment.

Andre van der Walt, director of threat intelligence at Ontinue, said in recent years there have been a number of high-profile FortiGate vulnerabilities, including a critical RCE vulnerability that was patched last month. This vulnerability allows attackers to gain full control of vulnerable FortiGate firewalls, which could lead to data breaches, ransomware attacks and other serious consequences.

“While the findings from Bishop Fox are shocking, they are not surprising as it mirrors the overall trend in patching lagging significantly behind addressing new exposure in the attack surface, regardless of the technology in question,” he said. “This serves as a timely reminder that organizations need to put in place robust vulnerability management measures that identify, prioritize and address urgent vulnerabilities like these. Ultimately, security systems also need to be actively maintained to a high level.”

Seriousness ‘Cannot be Understated’

Timothy Morris, chief security advisor at Tanium, said the seriousness of this “cannot be understated.”

Tanium’s Timothy Morris

“This FortiOS … vulnerability is rated as critical and requires a firmware update,” he said. “That is reason enough to patch. However, the fact that exploit code exists and that these security appliances are typically on the perimeter requires immediate attention.”

System administrators should patch as quickly as possible, Morris said.

“Patching firmware is a bit more cumbersome and is riskier when dealing with appliances that run application gateways,” he said. “Many face the perimeter and must be highly available, thereby having tight change windows. As such, many organizations will have redundant systems that are running as hot or cold spares. It is important to make sure those are patched as well.”