Home / Threat Intelligence bulletins / Fortinet remediates critical RCE vulnerability 

Target Industry

Indiscriminate, opportunistic targeting.


Fortinet has released a security update to address an undisclosed, critical-severity level vulnerability, tracked as CVE-2023-27997, and relates to a pre-authentication vulnerability which allows for remote code execution (RCE) in Secure Sockets Layer (SSL) Virtual Private Network (VPN) devices.

Update: 13th June 2023

Additional details have been disclosed regarding the recently reported Fortinet vulnerability affecting FortiGate firewall devices. The flaw, tracked as CVE-2023-27997 (CVSS v3 score:

9.2 – critical), is a heap-based buffer overflow vulnerability in FortiOS and FortiProxy Secure Sockets Layer (SSL) Virtual Private Network (VPN) that can allow threat actors to gain remote code execution (RCE) capabilities on affected devices.

Fortinet has stated that the vulnerability “…may have been exploited in a limited number of cases…”. As such, users are strongly advised to apply the most recent firmware upgrade as soon as possible.


Successful exploitation of CVE-2023-27997 would allow threat actors to compromise target systems and potentially gain remote code execution capabilities. As SSL VPNs are a vital component in providing secure remote access to network environments, exploitation of the vulnerability would breach this secure channel leading to the compromise of the integrity of the target network.

Vulnerability Detection

Fortinet has released a security patch pertaining to the vulnerability for the respective product versions. As such, previous versions are vulnerable to the potential exploitation.

Affected Products

FortiGate firewall devices.

Containment, Mitigations & Remediations

It is strongly recommended that users apply the associated security updates in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 as a matter of urgency.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Fortinet occupies a significant proportion of the networking-hardware market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for, Fortinet networking hardware products have emerged as a prime target for threat actors. Due to the fact that Fortinet products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities these product types in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Shodan searches have revealed that more than 250,000 FortiGate firewalls can be contacted via the internet and as this vulnerability affects all previous versions, it is highly likely that most of these instances are exposed.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Update: 13th June 2023

At the time of writing, a Volt Typhoon (also known as BRONZE SILHOUETTE) threat actor campaign is currently underway, targeting another Fortinet-related vulnerability, namely: CVE-2022-40684. As such, although an official attribution has not been made, there is a realistic possibility that Volt Typhoon could target CVE-2023-27997 due to their track record of exploiting unpatched vulnerabilities in commonly used software and devices.

Mitre Methodologies


TA0002 – Execution

Further Information

Help Net Security Report 

Fortinet CVE-2023-27997 report


Intelligence Terminology Yardstick