Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks

Fortinet warned customers on Monday that the recently patched vulnerability tracked as CVE-2023-27997 could be a zero-day flaw that has been exploited in limited attacks.

News broke over the weekend that updates released by Fortinet for its FortiOS operating system patch CVE-2023-27997, a critical vulnerability that can be exploited by a remote, unauthenticated attacker for arbitrary code execution. 

On Monday, Fortinet confirmed that the latest FortiOS and FortiProxy updates address the flaw, which it has described as a critical heap-based buffer overflow in the SSL-VPN module that can allow a remote hacker to execute arbitrary code or commands using specifically crafted requests.

Fortinet also confirmed that the researchers who broke the news over the weekend, Charles Fol and Dany Bach from French cybersecurity firm Lexfo, were indeed the ones who informed it about the flaw. 

In addition to its advisory, Fortinet on Monday published a blog post clarifying that CVE-2023-27997 is just one of the six FortiOS vulnerabilities resolved with the latest updates. The remaining flaws were discovered internally as part of an audit of the SSL-VPN module that was triggered by the in-the-wild exploitation of CVE-2022-42475.

Exploitation of CVE-2022-42475 has been linked to a Chinese threat actor, which had used it as a zero-day in attacks aimed at government and other types of organizations. 

As for the new zero-day, Fortinet said its investigation found that CVE-2023-27997 “may have been exploited in a limited number of cases”. The company is working with customers to monitor the situation. 

“For this reason, if the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release. If the customer is not operating SSL-VPN the risk of this issue is mitigated – however, Fortinet still recommends upgrading,” Fortinet said.

No information has been shared on the attacks potentially exploiting CVE-2023-27997, but the company did clarify that the zero-day is currently not being linked to the recently disclosed Volt Typhoon campaign. 

The Volt Typhoon campaign was detailed by Microsoft in May. The goal of the operation, believed to be the work of a Chinese state-sponsored threat group, has been to steal data from critical infrastructure organizations in the US territory of Guam.

Microsoft said the hackers exploited internet-exposed Fortinet FortiGuard firewalls for initial access. Fortinet believes, based on indicators of compromise (IoCs), that the Volt Typhoon campaign has exploited CVE-2022-40684, a security hole that has been widely exploited for initial access since at least the fall of 2022. 

Related: Chinese Hackers Exploited Fortinet VPN Vulnerability as Zero-Day

Related: Fortinet Finds Zero-Day Exploit in Government Attacks After Devices Detect Integrity Breach