Fortinet has disclosed a “critical” vulnerability affecting FortiOS and FortiProxy, which allows an unauthenticated attacker to execute arbitrary code or perform a denial of service (DoS) attack on the graphical interface of vulnerable devices using specially crafted queries.

This buffer overflow vulnerability is tracked as CVE-2023-25610 and has a CVSS v3 score of 9.3, qualifying it as critical. This type of flaw occurs when a program tries to read more data from a buffer than is available, resulting in adjacent memory locations being accessed, leading to behavior risky or crashes.

THE security consulting published by Fortinet yesterday states that it is not aware of any cases of active exploitation in the wild at this time, and it affects the following products:

• FortiOS versions 7.2.0 to 7.2.3
• FortiOS versions 7.0.0 to 7.0.9
• FortiOS versions 6.4.0 to 6.4.11
• FortiOS versions 6.2.0 to 6.2.12
• FortiOS 6.0, all versions
• FortiProxy version 7.2.0 to 7.2.2
• FortiProxy version 7.0.0 to 7.0.8
• FortiProxy version 2.0.0 to 2.0.11
• FortiProxy 1.2, all versions
• FortiProxy 1.1, all versions

The target upgrade releases that address the CVE-2023-25610 vulnerability are:

• FortiOS version 7.4.0 or higher
• FortiOS version 7.2.4 or higher
• FortiOS version 7.0.10 or higher
• FortiOS version 6.4.12 or higher
• FortiOS version 6.2.13 or higher
• FortiProxy version 7.2.3 or higher
• FortiProxy version 7.0.9 or higher
• FortiProxy version 2.0.12 or higher
• FortiOS-6K7K version 7.0.10 or higher
• FortiOS-6K7K version 6.4.12 or higher
• FortiOS-6K7K version 6.2.13 or higher

Fortinet says that fifty device models, listed in the security bulletin, are not impacted by the arbitrary code execution component of the flaw but only by denial of service, even if they are running a vulnerable version of FortiOS .

Device models not listed in the advisory are vulnerable to both issues. Administrators should therefore apply available security updates as soon as possible.

For those unable to apply updates, Fortinet suggests the workaround of disabling the HTTP/HTTPS admin interface or limiting the IP addresses that can access it remotely.

Instructions on how to apply the workarounds, which also cover non-default port use cases, are included in the security advisory.

Threat actors monitor critical-severity flaws affecting Fortinet products, especially those that do not require authentication to exploit, as they provide a method to gain initial access to corporate networks. Therefore, it is imperative to quickly overcome this vulnerability.

For example, on February 16, Fixed Fortinet two critical remote code execution flaws affecting FortiNAC and FortiWeb products, calling on users to immediately apply security updates.

A work proof-of-concept exploit to take advantage of the flaw was not made public until four days later, and active exploitation in nature started on February 22, 2023.