Critical Vulnerability in Fortinet's FortiOS and FortiProxy Products

Published on 09 Mar 2023

Fortinet has released security updates addressing a critical vulnerability (CVE-2023-25610) in their FortiOS and FortiProxy products.

Successful exploitation of the buffer underflow vulnerability in either FortiOS or FortiProxy’s administrative interface could allow a remote unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) on the graphical user interface (GUI) of the affected products using specially crafted requests.

The following versions of FortiOS and FortiProxy are affected:

FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12
FortiOS 6.0 all versions
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.8
FortiProxy version 2.0.0 through 2.0.11
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions

Users and administrators of affected product versions are advised to upgrade to the latest versions immediately.

If users and administrators are unable to upgrade their FortiOS versions immediately, they are advised to implement a workaround by disabling HTTP/HTTPS administrative interface or limit IP addresses that can reach the administrative interface. More information on the workaround steps can be found in Fortinet's security advisory here.

More information is available here:

https://www.fortiguard.com/psirt/FG-IR-23-001

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25610

https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-unauthenticated-rce-vulnerability/