Fortinet Critical Vulnerability in FortiOS and FortiProxy
FortiOS en FortiProxy Beveiligingslek – CVE-2023- 25610
9th March 2023
Fortinet Unauthenticated RCE/DoS Vulnerabilities
Fortinet has released a security advisory for an unauthenticated arbitrary code execution and denial of service vulnerability in FortiOS and FortiProxy.
CVE-2023-25610 (CVSS v3: 9.3 – Critical) is caused by buffer underflow conditions – that’s when a program tries to read more data than is a available from a specific memory address, potentially leading to dangerous instructions being loaded or the program crashing.
The advisory states that Fortinet is not aware of any instances of active exploitation.
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS version 6.2.0 through 6.2.12
- FortiOS 6.0, all versions
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.8
- FortiProxy version 2.0.0 through 2.0.11
- FortiProxy 1.2, all versions
- FortiProxy 1.1, all versions
All products with these software versions are affected by the denial of service condition of the vulnerability. The Fortinet bulletin contains a list of 50 device models which are not affected by the arbitrary code execution vulnerability. If your device does not appear on the list then it is vulnerable to both arbitrary code execution and denial of service.
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.10 or above
- FortiOS version 6.4.12 or above
- FortiOS version 6.2.13 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.9 or above
- FortiProxy version 2.0.12 or above
- FortiOS-6K7K version 7.0.10 or above
- FortiOS-6K7K version 6.4.12 or above
- FortiOS-6K7K version 6.2.13 or above
Our recommendation is basically in any case to patch as soon as possible. If the device is running an affected version and is present on the list in the list in the bulletin but has the management interface disabled or restricted then it may be feasible to push patches in the next available time window.