Fortinet Releases Advisory on Critical FortiOS Vulnerability

On March 7, 2023, Fortinet released 15 new PSIRT advisories regarding vulnerabilities in its products. Here’s what you need to know.

What is the situation?

Between all the advisories, there are one low, eight medium, five high and one critically graded. These advisories affect FortiOS, FortiAnalyzer, FortiManager, FortiPortal, FortiSwitch, FortiNAC, FortiProxy, FortiRecorder, FortiSOAR and FortiWeb.

Regarding the most critical advisory, being tracked as CVE-2023-25610, it is described as a buffer underflow vulnerability in FortiOS and FortiProxy administrative interface, which can allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

As of writing, Fortinet states they are not aware of any instances of this vulnerability being exploited in the wild.

To mitigate, organizations can disable access to the HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface.

What Fortinet products are affected?

Affected products include:

  • FortiOS version 7.2.0 through 7.2.3
  • FortiOS version 7.0.0 through 7.0.9
  • FortiOS version 6.4.0 through 6.4.11
  • FortiOS version 6.2.0 through 6.2.12
  • FortiOS 6.0 all versions
  • FortiProxy version 7.2.0 through 7.2.2
  • FortiProxy version 7.0.0 through 7.0.8
  • FortiProxy version 2.0.0 through 2.0.11
  • FortiProxy 1.2 all versions
  • FortiProxy 1.1 all versions

Fortinet also states that this vulnerability allows a denial-of-service (DOS) attack on certain hardware. A full list of affected devices can be found on the PSIRT advisory.

What is Nuspire doing?

Nuspire-managed devices are not affected by this vulnerability and there is no action required from managed clients.

What should I do?

Fortunately, there are firmware upgrades and mitigations available. For organizations managing affected FortiGates, they should upgrade to the recommended firmware version or apply the mitigation as recommended by Fortinet.

  • If your devices are managed by Nuspire, you are not affected and there is no action to take.
  • Organizations using Fortinet products should review the newly published PSIRTs and follow the guidance as provided here.
  • Organizations managing their own FortiGate that is on an affected version can find full details on updated firmware versions and mitigations here.

Have you registered for our next event?