Home > Security Bulletins > Fortinet Critical Vulnerability in FortiOS and FortiProxy

Fortinet Critical Vulnerability in FortiOS and FortiProxy

FortiOS en FortiProxy Beveiligingslek – CVE-2023- 25610

Request an audit

9th March 2023

Fortinet Unauthenticated RCE/DoS Vulnerabilities

Fortinet has released a security advisory for an unauthenticated arbitrary code execution and denial of service vulnerability in FortiOS and FortiProxy.

CVE-2023-25610 (CVSS v3: 9.3 – Critical) is caused by buffer underflow conditions – that’s when a program tries to read more data than is a available from a specific memory address, potentially leading to dangerous instructions being loaded or the program crashing.

The advisory states that Fortinet is not aware of any instances of active exploitation.

Affected Products

  • FortiOS version 7.2.0 through 7.2.3
  • FortiOS version 7.0.0 through 7.0.9
  • FortiOS version 6.4.0 through 6.4.11
  • FortiOS version 6.2.0 through 6.2.12
  • FortiOS 6.0, all versions
  • FortiProxy version 7.2.0 through 7.2.2
  • FortiProxy version 7.0.0 through 7.0.8
  • FortiProxy version 2.0.0 through 2.0.11
  • FortiProxy 1.2, all versions
  • FortiProxy 1.1, all versions

All products with these software versions are affected by the denial of service condition of the vulnerability. The Fortinet bulletin contains a list of 50 device models which are not affected by the arbitrary code execution vulnerability. If your device does not appear on the list then it is vulnerable to both arbitrary code execution and denial of service.

Security Patches

  • FortiOS version 7.4.0 or above
  • FortiOS version 7.2.4 or above
  • FortiOS version 7.0.10 or above
  • FortiOS version 6.4.12 or above
  • FortiOS version 6.2.13 or above
  • FortiProxy version 7.2.3 or above
  • FortiProxy version 7.0.9 or above
  • FortiProxy version 2.0.12 or above
  • FortiOS-6K7K version 7.0.10 or above
  • FortiOS-6K7K version 6.4.12 or above
  • FortiOS-6K7K version 6.2.13 or above

Recommendations

Our recommendation is basically in any case to patch as soon as possible. If the device is running an affected version and is present on the list in the list in the bulletin but has the management interface disabled or restricted then it may be feasible to push patches in the next available time window.