cbcvebase.
CVE-2023-27997
published 2023-06-13

CVE-2023-27997: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-07-04
Exploited in the wild
EPSS
85.69%
99.7th percentile
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Affected

39 ranges· showing 25
VendorProductVersion rangeFixed in
fortinetfortigate6000
fortinetfortigate7000
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios
fortinetfortios6.0.0 – 6.0.16
fortinetfortios6.0.12 – 6.0.16
fortinetfortios6.2.0 – 6.2.13
fortinetfortios6.2.9 – 6.2.13
fortinetfortios6.4.0 – 6.4.12
fortinetfortios7.0.0 – 7.0.11
fortinetfortios7.2.0 – 7.2.4
fortinetfortios-6k7k
fortinetfortios-6k7k
fortinetfortios-6k7k
fortinetfortios-6k7k

Detection & IOCsextracted from sources · hover to see the quote

path/opt/phoenix/log/phoenix.logs
path/opt/charting/redishb.sh
otherMalicious Admin: fortigate-tech-support
  • Look for a symbolic link in the SSL-VPN language files folder connecting the user filesystem to the root filesystem; this persists even after patching CVE-2023-27997 and other original vulnerabilities.
  • Devices with SSL-VPN never enabled are NOT impacted by the symlink persistence technique; scope detection efforts to SSL-VPN-enabled devices only.
  • Check phMonitor message logs for PHL_ERROR entries containing payload URLs as an indicator of exploitation activity.
  • The Coathanger RAT was deployed by Chinese Volt Typhoon threat actors exploiting CVE-2023-27997 and CVE-2022-42475 against FortiOS devices.
  • ·The symlink persistence technique abuses the SSL-VPN language files folder and only affects devices that have had SSL-VPN enabled; patching the original CVE does NOT remove the symlink — a FortiOS upgrade to 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 is required to remove it.
  • ·AV/IPS signature detection of the malicious symlink requires the AV/IPS engine to be licensed and enabled on FortiOS 7.4, 7.2, 7.0, and 6.4; without a valid license the automatic removal will not occur.
  • ·Stolen FortiGate config/credential data circulating in 2025 threat actor postings originates from older CVE-2022-40684 and CVE-2018-13379 campaigns (pre-November 2022) and is NOT from CVE-2023-27997 exploitation; affected firmware versions are 7.0.6 and below or 7.2.1 and below.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.