In June of this year (2023), researchers discovered that Fortinet’s FortiOS, FortiOS-6K7K, FortiProxy and other systems all have major security vulnerabilities of SSL-VPN [CWE-122].

Malicious people can use this vulnerability to remotely execute arbitrary code or commands on the Internet. The CVSS score is 9.8 points, which is a critical vulnerability.

This vulnerability, similar to CVE-2022-42475 in 2022, also exploits a weakness in SSL VPNs.

 

Affected system versions are as follows:

FortiOS: 7.2.0-7.2.4, 7.0.0-7.0.11, 6.4.0-6.4.12, 6.2.0-6.2.13, and 6.0.0-6.0.16.

FortiOS-6K7K: 7.0.10, 7.0.5, 6.4.12, 6.4.10, 6.4.8, 6.4.6, 6.4.2, 6.2.9-6.2.13, 6.2.6-6.2.7, 6.2. 4. 6.0.12-6.0.16, and 6.0.10.

FortiProxy: 7.2.0-7.2.3, 7.0.0-7.0.9, 2.0.0-2.0.12, and 1.2 and 1.1.

 

Suggested solution, if you are not using the SSL-VPN function, please disable it.

Or please update the version as soon as possible:

FortiOS: 7.4.0, 7.2.5, 7.0.12, 6.4.13, 6.2.14, 6.0.17 or later.

FortiOS-6K7K: 7.0.12, 6.4.13, 6.2.15, 6.0.17 or later.

FortiProxy: 7.2.4, 7.0.10, 2.0.13 or later.

 

#PCI #PCI DSS #Compliance

 

Reference https://www.fortiguard.com/psirt/FG-IR-23-097

https://cwe.mitre.org/data/definitions/122.html

https://nvd.nist.gov/vuln/detail/CVE-2023-27997