17 August 2023

3 min read

Cyber threat advisory: Fortinet vulnerability

Cyber security
Cyber threat advisory: Fortinet vulnerability placeholder thumbnail


On 12 June 2023, Fortinet released a security advisory for a critical SSL VPN vulnerability (CVE-2023-27997) which is being exploited in the wild in active incidents, some of which are being associated with a campaign attributed to Volt Typhoon (Insidious Taurus), a suspected Chinese-nation-state cyber group. The vulnerability was identified during an internal audit of Fortinet’s codebase and is a heap-based buffer overflow that can be exploited by an unauthenticated attacker to compromise the affected device remotely.

Although the vulnerability is being associated with Volt Typhoon, a proof-of-concept exploit for the vulnerability has subsequently been published online and therefore it is highly likely that CVE-2023-27997 will be exploited imminently by a wider range of nation-state and financially motivated cybercriminals. The potential impact is significant due to the widespread usage of the Fortinet SSL VPN for remote access in the public and private sector; combined with the fact that previous Fortinet VPN vulnerabilities have resulted in intrusions perpetrated by groups intending to deploy ransomware and/or exfiltrate data.



We urgently advise all organisations who may be impacted to apply the following remediation:

If evidence of compromise is identified, we would advise immediately conducting an investigation into the scope of the malicious activity and to ensure any potential threat actors who may retain access to the network are removed.


Affected Fortinet products

The following FortiOS and FortiProxy versions are vulnerable to this vulnerability:

FortiOS-6K7K version 7.0.10
FortiOS-6K7K version 7.0.5
FortiOS-6K7K version 6.4.12
FortiOS-6K7K version 6.4.10
FortiOS-6K7K version 6.4.8
FortiOS-6K7K version 6.4.6
FortiOS-6K7K version 6.4.2
FortiOS-6K7K version 6.2.9 through 6.2.13
FortiOS-6K7K version 6.2.6 through 6.2.7
FortiOS-6K7K version 6.2.4
FortiOS-6K7K version 6.0.12 through 6.0.16
FortiOS-6K7K version 6.0.10
FortiProxy version 7.2.0 through 7.2.3
FortiProxy version 7.0.0 through 7.0.9
FortiProxy version 2.0.0 through 2.0.12
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiOS version 7.2.0 through 7.2.4
FortiOS version 7.0.0 through 7.0.11
FortiOS version 6.4.0 through 6.4.12
FortiOS version 6.2.0 through 6.2.13
FortiOS version 6.0.0 through 6.0.16


Indicators of compromise

At this stage, there are limited IOCs available, however, according to the analysis of the available proof of concept by Lefxo, the following items are the potential IoCs for this exploit:

  • Abnormal amount of ‘/remote/logincheck’ and ‘/remote/hostcheck_validate’ requests
  • Suspicious reboots

Moreover, Fortinet have identified that intrusions related to exploitation of CVE-2023-27997 appear to coincide with attempts to exploit a similar authentication bypass flaw in FortiOS identified in December 2022, tracked as CVE-2022-40684, to gain initial access. Therefore, search for the use of named accounts:

  • fortinet-tech-support
  • fortigate-tech-support


If malicious activity is identified

  1. Trigger your incident response plan
  2. Engage expert cyber incident response firm
  3. Preserve evidence
  4. Implement a containment plan to limit the threat actor’s access inside the network
  5. Implement a threat hunting and eradication plan to remove the threat actor from the network
  6. Conduct forensics across impacted devices to identify potential data exfiltration

Please contact S-RM if you are concerned about your organisation's exposure to the Fortinet vulnerability

Tim Geschwindt
Tim Geschwindt
Senior Associate
Vlada Kulish
Vlada Kulish
Tim Geschwindt
Tim Geschwindt

Senior Associate

Vlada Kulish
Vlada Kulish


Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.