BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?



Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks

Fortinet has warned customers that the critical CVE-2023-27997 vulnerability that was patched recently could be a zero-day exploited in limited attacks.


Fortinet warned customers on Monday that the recently patched vulnerability tracked as CVE-2023-27997 could be a zero-day flaw that has been exploited in limited attacks.

News broke over the weekend that updates released by Fortinet for its FortiOS operating system patch CVE-2023-27997, a critical vulnerability that can be exploited by a remote, unauthenticated attacker for arbitrary code execution. 

On Monday, Fortinet confirmed that the latest FortiOS and FortiProxy updates address the flaw, which it has described as a critical heap-based buffer overflow in the SSL-VPN module that can allow a remote hacker to execute arbitrary code or commands using specifically crafted requests.

Fortinet also confirmed that the researchers who broke the news over the weekend, Charles Fol and Dany Bach from French cybersecurity firm Lexfo, were indeed the ones who informed it about the flaw. 

In addition to its advisory, Fortinet on Monday published a blog post clarifying that CVE-2023-27997 is just one of the six FortiOS vulnerabilities resolved with the latest updates. The remaining flaws were discovered internally as part of an audit of the SSL-VPN module that was triggered by the in-the-wild exploitation of CVE-2022-42475.

Exploitation of CVE-2022-42475 has been linked to a Chinese threat actor, which had used it as a zero-day in attacks aimed at government and other types of organizations. 

As for the new zero-day, Fortinet said its investigation found that CVE-2023-27997 “may have been exploited in a limited number of cases”. The company is working with customers to monitor the situation. 

“For this reason, if the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release. If the customer is not operating SSL-VPN the risk of this issue is mitigated – however, Fortinet still recommends upgrading,” Fortinet said.

Advertisement. Scroll to continue reading.

No information has been shared on the attacks potentially exploiting CVE-2023-27997, but the company did clarify that the zero-day is currently not being linked to the recently disclosed Volt Typhoon campaign. 

The Volt Typhoon campaign was detailed by Microsoft in May. The goal of the operation, believed to be the work of a Chinese state-sponsored threat group, has been to steal data from critical infrastructure organizations in the US territory of Guam.

Microsoft said the hackers exploited internet-exposed Fortinet FortiGuard firewalls for initial access. Fortinet believes, based on indicators of compromise (IoCs), that the Volt Typhoon campaign has exploited CVE-2022-40684, a security hole that has been widely exploited for initial access since at least the fall of 2022. 

Related: Chinese Hackers Exploited Fortinet VPN Vulnerability as Zero-Day

Related: Fortinet Finds Zero-Day Exploit in Government Attacks After Devices Detect Integrity Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights