Fortinet has identified and fixed 15 security flaws, one of which a critical vulnerability located in FortiOS and FortiProxy.
CVE-2023-25610 Technical Overview
The vulnerability, identified as CVE-2023-25610, has a severity rating of 9.3 out of 10 on the CVSS scale, and was reported by the company’s security teams. If exploited, this buffer underwrite flaw would allow for remote unauthenticated attackers to execute arbitrary code on exposed devices, or conduct a denial of service attack on the GUI, with the help of specially crafted requests.
A buffer underwrite occurs when the input data is shorter than the allocated space, which can lead to unpredictable behavior or leaked sensitive data, according to the official advisory. Currently, Fortinet has no knowledge of any cases where this vulnerability was used maliciously. The company added that they are constantly reviewing and examining the security of their products, and this particular vulnerability was identified internally through these means.
What Fortinet Products Have Been Affected by CVE-2023-25610?
The CVE-2023-25610 vulnerability has affected the following FortiOS and FortiProxy versions:
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS version 6.2.0 through 6.2.12
FortiOS 6.0 all versions
FortiProxy version 7.2.0 through 7.2.2
FortiProxy version 7.0.0 through 7.0.8
FortiProxy version 2.0.0 through 2.0.11
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
Even when running a vulnerable FortiOS version, a number of hardware devices the company listed in the advisory are only impacted by the DoS part of the issue, not by the arbitrary code execution. Non-listed devices are vulnerable to both, Fortinet said.
The advisory also features a possible workaround solution. CVE-2023-25610 was internally discovered and reported by Kai Ni from Burnaby InfoSec team.
CVE-2022-39947 is another example of a severe Fortinet vulnerability which was discovered in January 2023 in FortiADC product – an advanced application and database delivery controller from Fortinet. The vulnerability was defined as a command injection issue in the product’s web interface, rated 8.6 out of 10 on the CVSS scale.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: