CVE-2023-27997
published 2023-06-13CVE-2023-27997: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-07-04
Exploited in the wild
EPSS
85.69%
99.7th percentile
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
Affected
39 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortigate6000 | — | — |
| fortinet | fortigate7000 | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | 6.0.0 – 6.0.16 | — |
| fortinet | fortios | 6.0.12 – 6.0.16 | — |
| fortinet | fortios | 6.2.0 – 6.2.13 | — |
| fortinet | fortios | 6.2.9 – 6.2.13 | — |
| fortinet | fortios | 6.4.0 – 6.4.12 | — |
| fortinet | fortios | 7.0.0 – 7.0.11 | — |
| fortinet | fortios | 7.2.0 – 7.2.4 | — |
| fortinet | fortios-6k7k | — | — |
| fortinet | fortios-6k7k | — | — |
| fortinet | fortios-6k7k | — | — |
| fortinet | fortios-6k7k | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for a symbolic link in the SSL-VPN language files folder connecting the user filesystem to the root filesystem; this persists even after patching CVE-2023-27997 and other original vulnerabilities. ↗
- →Devices with SSL-VPN never enabled are NOT impacted by the symlink persistence technique; scope detection efforts to SSL-VPN-enabled devices only. ↗
- →Check phMonitor message logs for PHL_ERROR entries containing payload URLs as an indicator of exploitation activity. ↗
- →The Coathanger RAT was deployed by Chinese Volt Typhoon threat actors exploiting CVE-2023-27997 and CVE-2022-42475 against FortiOS devices. ↗
- ·The symlink persistence technique abuses the SSL-VPN language files folder and only affects devices that have had SSL-VPN enabled; patching the original CVE does NOT remove the symlink — a FortiOS upgrade to 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 is required to remove it. ↗
- ·AV/IPS signature detection of the malicious symlink requires the AV/IPS engine to be licensed and enabled on FortiOS 7.4, 7.2, 7.0, and 6.4; without a valid license the automatic removal will not occur. ↗
- ·Stolen FortiGate config/credential data circulating in 2025 threat actor postings originates from older CVE-2022-40684 and CVE-2018-13379 campaigns (pre-November 2022) and is NOT from CVE-2023-27997 exploitation; affected firmware versions are 7.0.6 and below or 7.2.1 and below. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices
cisa_ics·2024-03-14
Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices
ICS Advisory
##
Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices
Release DateMarch 14, 2024
Alert CodeICSA-24-074-11
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: RUGGEDCOM APE1808 devices
- Vulnerabilities: Improper Certificate Validation, Cleartext Transmission of Sensitive Information, Path Traversal, Exposure of Sensitive Information to an Unauthorized
CISA
Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
cisa·2023-06-13·CVSS 9.8
CVE-2023-27997 [CRITICAL] CWE-122 Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
Vulnerability: Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
Affected: Fortinet FortiOS and FortiProxy SSL-VPN
Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or commands via specifically crafted requests.
Required Action: Apply updates per vendor instructions.
Notes: https://www.fortiguard.com/psirt/FG-IR-23-097; https://nvd.nist.gov/vuln/detail/CVE-2023-27997
Remediation Due Date: 2023-07-04
Fortinet
Heap buffer overflow in sslvpn pre-authentication
vendor_fortinet·2023-06-13·CVSS 9.8
CVE-2023-27997 [CRITICAL] CWE-122 Heap buffer overflow in sslvpn pre-authentication
FG-IR-23-097: Heap buffer overflow in sslvpn pre-authentication
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
CVEs: CVE-2023-27997
CWEs: CWE-122, CWE-787
CVSS: 9.8 (critical)
Affected products: FortiGate6000, FortiGate7000, FortiOS, FortiProxy
GHSA
GHSA-2hj2-fcr9-9p35: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7
ghsa_unreviewed·2023-06-13
CVE-2023-27997 [CRITICAL] CWE-122 GHSA-2hj2-fcr9-9p35: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
VulnCheck
Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-27997 [CRITICAL] CWE-122 Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or commands via specifically crafted requests.
Affected: Fortinet FortiOS and FortiProxy
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://information.rapid7.com/rs/411-NAK-970/images/Rapid7-2023-Mid-Year-Threat-Review.pdf; https://blog.lumen.com/routers-roasting-on-an-open-firew
VulnCheck
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-42475 [CRITICAL] CWE-197 Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specifically crafted requests.
Affected: Fortinet FortiOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fortiguard.com/psirt/FG-IR-22-398; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw; https://www.prio-n.com/a-year-in-review-2022-100-vulnerabilities-you-sh
VulnCheck
Fortinet Multiple Products Authentication Bypass Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-40684 [CRITICAL] CWE-288 Fortinet Multiple Products Authentication Bypass Vulnerability
Fortinet Multiple Products Authentication Bypass Vulnerability
Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Affected: Fortinet Multiple Products
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.fortiguard.com/psirt/FG-IR-22-377; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2022-40684; https://blog.cyble.com/2022/11/24/multiple-organisations-compromised-by-critical-authentication-bypass-vulnerability-in-fortinet-pro
Suricata
ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/error (CVE-2023-27997)
suricata·2023-07-05·CVSS 9.8
CVE-2023-27997 [CRITICAL] ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/error (CVE-2023-27997)
ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/error (CVE-2023-27997)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/error (CVE-2023-27997)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"POST"; http.uri; content:"/remote/error"; fast_pattern; startswith; http.content_len; byte_test:0,>,1000000,0,string,dec; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; reference:url,github.com/BishopFox/CVE-2023-27997-check/blob/main/CVE-2023-27997-check.py; reference:url,bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable; classtype:attempted-admin; sid:2046723; rev:1; metadata:affected_pro
Suricata
ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/logincheck (CVE-2023-27997)
suricata·2023-06-13·CVSS 9.8
CVE-2023-27997 [CRITICAL] ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/logincheck (CVE-2023-27997)
ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/logincheck (CVE-2023-27997)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/logincheck (CVE-2023-27997)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/remote/logincheck"; fast_pattern; startswith; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046254; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_
Suricata
ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M1
suricata·2023-06-13·CVSS 9.8
CVE-2023-27997 [CRITICAL] ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M1
ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M1"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"POST"; http.uri; content:"/remote/hostcheck_validate"; fast_pattern; startswith; content:"enc"; distance:0; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046252; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confi
Suricata
ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/hostcheck_validate (CVE-2023-27997)
suricata·2023-06-13·CVSS 9.8
CVE-2023-27997 [CRITICAL] ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/hostcheck_validate (CVE-2023-27997)
ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/hostcheck_validate (CVE-2023-27997)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/hostcheck_validate (CVE-2023-27997)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/remote/hostcheck_validate"; fast_pattern; startswith; content:"enc"; distance:0; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046251; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Ma
Suricata
ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/logincheck (CVE-2023-27997)
suricata·2023-06-13·CVSS 9.8
CVE-2023-27997 [CRITICAL] ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/logincheck (CVE-2023-27997)
ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/logincheck (CVE-2023-27997)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/logincheck (CVE-2023-27997)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"POST"; http.uri; content:"/remote/logincheck"; fast_pattern; startswith; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046255; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updat
Suricata
ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M2
suricata·2023-06-13·CVSS 9.8
CVE-2023-27997 [CRITICAL] ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M2
ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M2"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"POST"; http.uri; content:"/remote/hostcheck_validate"; fast_pattern; startswith; http.request_body; content:"enc"; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046253; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low
Suricata
ET EXPLOIT Fortigate VPN - Request to /remote/info - Possible CVE-2023-27997 Exploit Attempt
suricata·2023-06-13·CVSS 9.8
CVE-2023-27997 [CRITICAL] ET EXPLOIT Fortigate VPN - Request to /remote/info - Possible CVE-2023-27997 Exploit Attempt
ET EXPLOIT Fortigate VPN - Request to /remote/info - Possible CVE-2023-27997 Exploit Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Request to /remote/info - Possible CVE-2023-27997 Exploit Attempt"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/remote/info"; fast_pattern; startswith; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046256; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, updat
No public exploits indexed.
Tenable
CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild
blogs_tenable·2026-04-06·CVSS 9.8
[CRITICAL] CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
blogs_bleepingcomputer·2026-01-16·CVSS 9.8
CVE-2025-64155 [CRITICAL] Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
## Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
## Sergiu Gatlan
A critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code is now being abused in attacks.
According to security researcher Zach Hanley at penetration testing company Horizon3.ai, who reported the vulnerability ( CVE-2025-64155 ), it is a combination of two issues that allow arbitrary writes with admin permissions and privilege escalation to root access.
"An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests," Fortinet explained on Tuesday, when it released security updates to patch th
Tenable
CVE-2025-64155 PoC released Command Injection Vulnerability
blogs_tenable·2026-01-14·CVSS 9.8
[CRITICAL] CVE-2025-64155 PoC released Command Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
blogs_bleepingcomputer·2026-01-02·CVSS 9.8
CVE-2020-12812 [CRITICAL] Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
## Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
## Sergiu Gatlan
Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.
Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812 ) and advised admins who couldn't immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.
This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username's case is cha
Bleepingcomputer
Over 25,000 FortiCloud SSO devices exposed to remote attacks
blogs_bleepingcomputer·2025-12-19·CVSS 9.8
CVE-2025-59718 [CRITICAL] Over 25,000 FortiCloud SSO devices exposed to remote attacks
## Over 25,000 FortiCloud SSO devices exposed to remote attacks
## Sergiu Gatlan
Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability.
Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service.
As cybersecurity company Arctic Wolf reported on Monday , the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins.
Threat actors are abusing it i
Bleepingcomputer
Fortinet warns of critical FortiCloud SSO login auth bypass flaws
blogs_bleepingcomputer·2025-12-09·CVSS 9.8
CVE-2025-59718 [CRITICAL] Fortinet warns of critical FortiCloud SSO login auth bypass flaws
## Fortinet warns of critical FortiCloud SSO login auth bypass flaws
## Sergiu Gatlan
Fortinet has released security updates to address two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that could allow attackers to bypass FortiCloud SSO authentication.
Threat actors can exploit the two security flaws tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb) by abusing improper verification of cryptographic signature weaknesses in vulnerable products via a maliciously crafted SAML message.
However, as Fortinet explained in an advisory published today, the vulnerable FortiCloud feature is not enabled by default when the device is not FortiCare-registered.
"Please note that the FortiCloud SSO login feature is no
Bleepingcomputer
Fortinet warns of new FortiWeb zero-day exploited in attacks
blogs_bleepingcomputer·2025-11-18·CVSS 7.2
CVE-2025-58034 [HIGH] Fortinet warns of new FortiWeb zero-day exploited in attacks
## Fortinet warns of new FortiWeb zero-day exploited in attacks
## Sergiu Gatlan
Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks.
Tracked as CVE-2025-58034 , this web application firewall security flaw was reported by Jason McFadyen of Trend Micro's Trend Research team.
Authenticated threat actors can gain code execution by successfully exploiting this OS command injection vulnerability in low-complexity attacks that don't require user interaction.
"An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests o
Tenable
CVE-2025-64446 FortiWeb Zero-Day Exploited
blogs_tenable·2025-11-14·CVSS 9.8
[CRITICAL] CVE-2025-64446 FortiWeb Zero-Day Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
blogs_tenable·2025-08-13·CVSS 9.8
[CRITICAL] CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Critical Fortinet flaws now exploited in Qilin ransomware attacks
blogs_bleepingcomputer·2025-06-06·CVSS 9.8
[CRITICAL] Critical Fortinet flaws now exploited in Qilin ransomware attacks
## Critical Fortinet flaws now exploited in Qilin ransomware attacks
## Sergiu Gatlan
The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely.
Qilin (also tracked as Phantom Mantis) surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the "Agenda" name and has since claimed responsibility for over 310 victims on its dark web leak site.
Its victim list also includes high-profile organizations, such as automotive giant Yangfeng , publishing giant Lee Enterprises , Australia's Court Services Victoria , and pathology services provider Synnovis . The Synnovis incident impacted several major NHS hospitals in London, which forced the
Tenable
CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
blogs_tenable·2025-05-14·CVSS 9.8
[CRITICAL] CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
blogs_bleepingcomputer·2025-04-11·CVSS 9.8
[CRITICAL] Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
## Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
## Sergiu Gatlan
Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
Earlier this week, Fortinet began sending emails to customers warning that their FortiGate/FortiOS devices were compromised based on telemetry received from FortiGuard devices.
These emails were titled "Notification of device compromise - FortiGate / FortiOS - ** Urgent action required **," given a TLP:AMBER+STRICT designation.
"This issue is not related to any new vulnerability. This file was left behind by a threat actor following exploitation of previous known vulnerabilities," the ema
Fortinet
Analysis of Threat Actor Activity | Fortinet Blog
blogs_fortinet·2025-04-10
Analysis of Threat Actor Activity | Fortinet Blog
PSIRT BLOGS
Analysis of Threat Actor Activity
By Carl Windsor | April 10, 2025
As a driving force in the evolution of cybersecurity, Fortinet has long been at the forefront of the industry in embracing and advocating for cybersecurity best practices. We are committed to being a role model for ethical product development and vulnerability disclosure, which includes embracing responsible transparency, holding ourselves to robust disclosure practices, and adhering to international and industry-recognized standards. Fortinet continues to collaborate with the industry to develop and implement stronger practices and standards for the benefit of all our customers, including through ongoing threat research, delivering automatic upgrade features, cybersecurity training and education, and responsi
Fortinet
Analysis of Threat Actor Data Posting | Fortinet Blog
blogs_fortinet·2025-01-16
Analysis of Threat Actor Data Posting | Fortinet Blog
PSIRT BLOGS
Analysis of Threat Actor Data Posting
By Carl Windsor | January 16, 2025
Affected Platforms: FortiOS 7.0.0 – 7.0.6 and 7.2.0 – 7.2.1
Impacted Users: Various
Impact: Configuration and VPN Password Exposure
Severity Level: High
Executive Summary
Fortinet is aware of a posting by a threat actor which claims to offer compromised configuration and VPN credentials from FortiGate devices. Based on our analysis, the data involved is a resharing of data from previous incidents from dates prior to November 2022 and is not related to any recent incident or advisory. The following provides factual information to help our customers better understand the situation and make informed decisions.
Threat Actor Posting
Fortinet discovered the posting on a forum via the FortiRecon Dark Web Ac
Tenable
CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
blogs_tenable·2025-01-14·CVSS 9.8
[CRITICAL] CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
MirrorFace hackers targeting Japanese govt, politicians since 2019
blogs_bleepingcomputer·2025-01-09·CVSS 9.8
[CRITICAL] MirrorFace hackers targeting Japanese govt, politicians since 2019
## MirrorFace hackers targeting Japanese govt, politicians since 2019
## Bill Toulas
The National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan have linked a cyber-espionage campaign targeting the country to the Chinese state-backed "MirrorFace" hacking group.
The campaign has been underway since 2019 and is still ongoing, while the Japanese investigators have observed distinct phases with differentiation of targets and attack methods.
In all cases, the primary goal is to steal information on valuable and advanced Japanese technology and gather national security intelligence.
MirrorFace, also known as "Earth Kasha," was previously observed by ESET conducting attacks on Japanese politicians before elections, using phishing emails to deploy a credential stealer dubb
Sentinelone
RansomHub
blogs_sentinelone·2025-01-08
RansomHub
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Wiz
Crying Out Cloud - December 2024 Newsletter | Wiz
blogs_wiz·2024-12-12·CVSS 9.3
CVE-2024-0012 [CRITICAL] Crying Out Cloud - December 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities.
Here are our top picks!
🔍 Highlights
RCE Vulnerability in PAN-OS
Palo Alto Networks has confirmed the active exploitation of a critical remote code execution vulnerability chain (CVE-2024-0012, CVE-2024-9474) in the PAN-OS management interface. This vulnerability allows an unauthenticated attacker with network access to the management interface to bypass authentication, obtain administrator privileges, and perform administrative actions. Exploitation has been observed since November 17, 2024.
Learn more in our blog .
🐞 High Profile Vulnerabilities
Critical Vulnerability in Spring WebFlux
A critical vulnerability, CVE-2024-38821, was identifie
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT und gezielte Angriffe
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro Nov 19, 2024 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT & Targeted Attacks
# Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro
2024/11/19
Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024.
## Introduction
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. While some vendors suspect that the actor using LODEINFO might be APT10, we don’t have enough evidence to fully support t
Tenable
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
blogs_tenable·2024-11-19
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT & Targeted Attacks
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro Nov 19, 2024 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which we
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT y ataques dirigidos
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro Nov 19, 2024 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which w
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT & Targeted Attacks
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro 2024/11/19 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which we d
Tenable
Cybersecurity Snapshot: Five Eyes Rank 2023’s Most Frequently Exploited CVEs, While CSA Publishes Framework for AI System Audits
blogs_tenable·2024-11-15
Cybersecurity Snapshot: Five Eyes Rank 2023’s Most Frequently Exploited CVEs, While CSA Publishes Framework for AI System Audits
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
blogs_bleepingcomputer·2024-11-12·CVSS 10.0
[CRITICAL] FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## Sergiu Gatlan
The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned .
"In 2023, the majority of the most frequently exploited vulnerabilities
Bleepingcomputer
Fortinet warns of new critical FortiManager flaw used in zero-day attacks
blogs_bleepingcomputer·2024-10-23·CVSS 9.8
CVE-2024-47575 [CRITICAL] Fortinet warns of new critical FortiManager flaw used in zero-day attacks
## Fortinet warns of new critical FortiManager flaw used in zero-day attacks
## Lawrence Abrams
Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices.
The company privately warned FortiManager customers about the flaw starting October 13th in advanced notification emails seen by BleepingComputer that contained steps to mitigate the flaw until a security update was released.
However, news of the vulnerability began leaking online throughout the week by customers on Reddit and by cybersecurity researcher Kevin Beaumont on Mastodon, who calls this flaw "FortiJump."
Fortinet device admins have also sh
Bleepingcomputer
Google: 70% of exploited flaws disclosed in 2023 were zero-days
blogs_bleepingcomputer·2024-10-16
Google: 70% of exploited flaws disclosed in 2023 were zero-days
## Google: 70% of exploited flaws disclosed in 2023 were zero-days
## Bill Toulas
Google Mandiant security analysts warn of a worrying new trend of threat actors demonstrating a better capability to discover and exploit zero-day vulnerabilities in software.
Specifically, of the 138 vulnerabilities disclosed as actively exploited in 2023, Mandiant says 97 (70.3%) were leveraged as zero-days.
This means that threat actors exploited the flaws in attacks before the impacted vendors knew of the bugs existence or had been able to patch them.
From 2020 until 2022, the ratio between n-days (fixed flaws) and zero-days (no fix available) remained relatively steady at 4:6, but in 2023, the ratio shifted to 3:7.
Google explains that this is not due to a drop in the number of n-days exploited in
Tenable
Cybersecurity Snapshot: RansomHub Group Triggers CISA Warning, While FBI Says North Korean Hackers Are Targeting Crypto Orgs
blogs_tenable·2024-09-06
Cybersecurity Snapshot: RansomHub Group Triggers CISA Warning, While FBI Says North Korean Hackers Are Targeting Crypto Orgs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Exploit released for maximum severity Fortinet RCE bug, patch now
blogs_bleepingcomputer·2024-05-28·CVSS 10.0
CVE-2024-23108 [CRITICAL] Exploit released for maximum severity Fortinet RCE bug, patch now
## Exploit released for maximum severity Fortinet RCE bug, patch now
## Sergiu Gatlan
Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) solution, which was patched in February.
Tracked as CVE-2024-23108 , this security flaw is a command injection vulnerability discovered and reported by Horizon3 vulnerability expert Zach Hanley that enables remote command execution as root without requiring authentication.
"Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests," Fortinet says .
CVE-2024-23108 impacts
Tenable
CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability
blogs_tenable·2024-03-14·CVSS 9.8
[CRITICAL] CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Fortinet warns of critical RCE bug in endpoint management software
blogs_bleepingcomputer·2024-03-13·CVSS 8.1
CVE-2023-48788 [HIGH] Fortinet warns of critical RCE bug in endpoint management software
## Fortinet warns of critical RCE bug in endpoint management software
## Sergiu Gatlan
Fortinet patched a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that can allow attackers to gain remote code execution (RCE) on vulnerable servers.
FortiClient EMS enables admins to manage endpoints connected to an enterprise network, allowing them to deploy FortiClient software and assign security profiles on Windows devices.
The security flaw ( CVE-2023-48788 ) is an SQL injection in the DB2 Administration Server (DAS) component, which was discovered and reported by the UK's National Cyber Security Centre (NCSC) and Fortinet developer Thiago Santana.
It impacts FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2), and it allows
Bleepingcomputer
New Fortinet RCE bug is actively exploited, CISA confirms
blogs_bleepingcomputer·2024-02-09·CVSS 10.0
CVE-2024-21762 [CRITICAL] New Fortinet RCE bug is actively exploited, CISA confirms
## New Fortinet RCE bug is actively exploited, CISA confirms
## Sergiu Gatlan
CISA confirmed today that attackers are actively exploiting a critical remote code execution (RCE) bug patched by Fortinet on Thursday.
The flaw (CVE-2024-21762) is due to an out-of-bounds write weakness in the FortiOS operating system and the FortiProxy secure web proxy that can let unauthenticated attackers execute arbitrary code remotely using maliciously crafted HTTP requests.
Admins who can't immediately deploy security updates to patch vulnerable appliances can remove the attack vector by disabling SSL VPN on the device.
CISA's announcement comes one day after Fortinet published a security advisory saying the flaw was "potentially being exploited in the wild."
While the company has yet to share more d
Tenable
CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
blogs_tenable·2024-02-09·CVSS 9.8
[CRITICAL] CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities | Fortinet Blog
blogs_fortinet·2024-02-07·CVSS 9.8
[CRITICAL] The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities | Fortinet Blog
PSIRT BLOGS
The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities
By Carl Windsor, Guillaume Lovet, Wilfried Djettchou, Hongkei Chan and Alex Kong | February 07, 2024
Affected Platforms: FortiGate
Impacted Users: Government, service provider, consultancy, manufacturing, and large critical infrastructure organizations
Impact: Data loss and OS and file corruption
Severity Level: High
Executive Summary
The following supplementary research provides an analysis of the exploitation of resolved N-Day Fortinet vulnerabilities. "N-Day vulnerabilities" refer to known vulnerabilities for which a patch or fix is available but for which organizations have not yet resolved via patching.
Fortinet continues to monitor ongoing activity by threat actors targeting known,
Checkpoint
10th July – Threat Intelligence Report
blogs_checkpoint·2023-07-10
CVE-2023-36934 10th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th July, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Japan’s Port of Nagoya, which handles 10% of Japan’s trade volume, has shut down its activity for 2 days after being hit by a ransomware attack. The port’s management attributed the attack to LockBit ransomware group.
Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Lockbit
Wiz
Crying Out Cloud - June's Newsletter | Wiz
blogs_wiz·2023-07-03·CVSS 9.8
[CRITICAL] Crying Out Cloud - June's Newsletter | Wiz
The past month has brought a series of vulnerabilities and security incidents that have left users affected. Amidst the noise, we've taken it upon ourselves to curate the most significant developments for you.
Here are our top picks of cloud security highlights!
## ✨ Highlights
## Three MOVEit Transfer vulnerabilities
Since May 31, 2023, Progress has been publishing details of vulnerabilities in MOVEit Transfer. Some of these vulnerabilities are known to have been exploited in-the-wild by the Cl0p ransomware group. Users are urgently advised to patch to the latest fixed version. MOVEit Transfer is a Windows-Server-based managed file transfer (MFT) service developed by Ipswitch, a subsidiary of Progress.
An SQL injection vulnerability (CVE-2023-34362) was found in the MOVEit Transfer w
Checkpoint
19th June – Threat Intelligence Report
blogs_checkpoint·2023-06-19
CVE-2023-35708 19th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 19th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 19th June, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
The Louisiana Office of Motor Vehicles (OMV) and the Oregon DMV Services have released statements warning US citizens of a data breach exposing millions of driver’s licenses. This comes after the Clop ransomware gang had hacked the agencies’ MOVEit Transfer security file transfer systems and stole the stored data.
Check Point IP
Krebs
CISA Order Highlights Persistent Risk at Network Edge
blogs_krebs·2023-06-15
CISA Order Highlights Persistent Risk at Network Edge
The U.S. government agency in charge of improving the nation’s cybersecurity posture is ordering all federal agencies to take new measures to restrict access to Internet-exposed networking equipment. The directive comes amid a surge in attacks targeting previously unknown vulnerabilities in widely used security and networking appliances.
Under a new order from the Cybersecurity and Infrastructure Security Agency (CISA), federal agencies will have 14 days to respond to any reports from CISA about misconfigured or Internet-exposed networking equipment. The directive applies to any networking devices — such as firewalls, routers and load balancers — that allow remote authentication or administration.
The order requires federal departments to limit access so that only authorized users on an
Krebs
CISA Order Highlights Persistent Risk at Network Edge
blogs_krebs·2023-06-15
CISA Order Highlights Persistent Risk at Network Edge
The U.S. government agency in charge of improving the nation’s cybersecurity posture is ordering all federal agencies to take new measures to restrict access to Internet-exposed networking equipment. The directive comes amid a surge in attacks targeting previously unknown vulnerabilities in widely used security and networking appliances.
Under a new order from the Cybersecurity and Infrastructure Security Agency (CISA), federal agencies will have 14 days to respond to any reports from CISA about misconfigured or Internet-exposed networking equipment. The directive applies to any networking devices — such as firewalls, routers and load balancers — that allow remote authentication or administration.
The order requires federal departments to limit access so that only authorized users on an
Fortinet
Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog
blogs_fortinet·2023-06-12·CVSS 9.8
CVE-2023-27997 [CRITICAL] Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog
PSIRT BLOGS
Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign
By Carl Windsor | June 12, 2023
Affected Platforms: FortiOS
Impacted Users: Targeted at government, manufacturing, and critical infrastructure
Impact: Data loss and OS and file corruption
Severity Level: Critical
Today, Fortinet published a CVSS Critical PSIRT Advisory (FG-IR-23-097 / CVE-2023-27997) along with several other SSL-VPN related fixes. This blog adds context to that advisory, providing our customers with additional details to help them make informed, risk-based decisions, and provides our perspective relative to recent events involving malicious actor activity.
The following write-up details our initial investigation into the incident that led to the discovery of this vulnerability and additi
Tenable
CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)
blogs_tenable·2023-06-12·CVSS 9.8
[CRITICAL] CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Perspectives: FortiNAC and CVE-2022-39952 | Fortinet Blog
blogs_fortinet·2023-02-23·CVSS 9.8
CVE-2022-39952 [CRITICAL] Perspectives: FortiNAC and CVE-2022-39952 | Fortinet Blog
PSIRT BLOGS
Perspectives: FortiNAC and CVE-2022-39952
By Carl Windsor | February 23, 2023
Affected Platforms: FortiNAC
Impacted Users: Execute unauthorized code or commands
Impact: Remote Code Execution
Severity Level: Critical
Fortinet published a Critical Advisory (FG-IR-22-300 / CVE-2022-39952) for FortiNAC on February 16, 2023. This blog adds perspective to that Advisory, providing our customers with additional, accurate details to help them make informed, risk-based decisions.
The Fortinet Product Security Incident Response Team (PSIRT) works diligently to identify bugs before code ships. Even with processes in place that put security at the forefront of the product development lifecycle and a commitment to deliver on the highest security assurance standard, vulnerabilities occur.
Fortinet
Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd | Fortinet Blog
blogs_fortinet·2023-01-11·CVSS 9.8
CVE-2022-42475 [CRITICAL] Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd | Fortinet Blog
PSIRT BLOGS
Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd
By Carl Windsor, Guillaume Lovet, Hongkei Chan, and Alex Kong | January 11, 2023
Affected Platforms: FortiOS
Impacted Users: Government & large organizations
Impact: Data loss and OS and file corruption
Severity Level: High
Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.
Executive Summary
Multiple additional IoCs have been uncovered related to the incident FG-IR-22-398 / CVE-2022-42475
The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.
Incid
Fortinet
Malicious Actor Discloses FortiGate SSL-VPN Credentials
blogs_fortinet·2021-09-08·CVSS 9.1
CVE-2018-13379 [CRITICAL] Malicious Actor Discloses FortiGate SSL-VPN Credentials
PSIRT BLOGS
Malicious Actor Discloses FortiGate SSL-VPN Credentials
By Carl Windsor | September 08, 2021
Fortinet has become aware that a malicious actor has recently disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices. These credentials were obtained from systems that remained unpatched against FG-IR-18-384 / CVE-2018-13379 at the time of the actor's scan. While they may have since been patched, if the passwords were not reset, they remain vulnerable.
This incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers. And because customer security is our top priority, Fortinet subsequently issued multiple corporate blog posts detailing this issue, strongly encouraging custom
Fortinet
Securing the Network Edge
blogs_fortinet·2019-04-30
Securing the Network Edge
FORTIGUARD LABS THREAT RESEARCH
Securing the Network Edge
By Aamir Lakhani | April 30, 2019
ANew Joint Analysis from the Cyber Threat Alliance Outlines the Growing Threat to the Devices Deployed at the Boundaries, or Edges, of Interconnected Networks
Digital transformation continues to generate new networking environments, from multi-cloud networks to SD-Branches to the emerging 5G-enabled remote edge, comprised of a growing number of physical and virtual devices. At the same time, each of these networked ecosystems is generating and processing an exponentially growing volume of data, applications, and workflows. To accommodate all of this this, organizations have had to increase the number of devices deployed at the edges of these networks in order to manage access, orchestrate resourc
Recorded Future
What is an Attack Surface? Meaning and Examples
blogs_recorded_future
What is an Attack Surface? Meaning and Examples
## What is an Attack Surface?
Knowing your attack surface is key to securing your data. It includes all the weak points where attackers might gain unauthorized access to your systems . This article cuts through the complexities to provide a clear understanding of your attack surface and offers straightforward strategies to minimize these vulnerabilities.
## Key Takeaways
The attack surface includes all potential vulnerabilities and entry points that attackers can leverage, divided into digital and physical components, necessitating regular assessment and mitigation to minimize cyber risks .
Attack vectors are methods used to exploit attack surfaces, including weak passwords, outdated software, and social engineering, highlighting the need for a diverse range of security controls to pre
Recorded Future
2023 Threat Analysis and 2024 Predictions | Recorded Future
blogs_recorded_future
2023 Threat Analysis and 2024 Predictions | Recorded Future
## 2023 Threat Analysis and 2024 Predictions
Check out our on-demand Annual Report webinar or read on for a summary of key topics and themes in the report.
2023 was a year in which cybercrime evolved in significant ways. Our 2023 annual report serves as a playbook of adversaries’ tactics, techniques, and procedures (TTPs) in 2023, with the goal of giving your security team a 360-degree view of the threat landscape. And with its predictions for 2024, the report also offers a roadmap for your enterprise. No matter where you are in your security journey, you’ll find the information you need to develop more effective security operations and strategies.
## The influence of macro trends on the cyber threat landscape.
The report begins by reviewing key trends and events in technology, geopoli
Sentinelone
RansomHub
blogs_sentinelone
RansomHub
## RansomHub Ransomware: In-Depth Analysis, Detection, and Mitigation
## What Is RansomHub Ransomware?
RansomHub operations were first observed in February of 2024. Since then, the group has drawn heavily upon its ability to recruit and attract operators from other, sometimes imploding, extortion operations. Upon the collapse of ALPHV, for example, multiple affiliates migrated to RansomHub, hoping to monetize their stolen data through them. RansomHub has been associated with the re-extortion of ransomware victims, including high-value healthcare organizations. Primary operators behind RansomHub have openly recruited affiliates from other ransomware operations via their various communication channels, including DLS sites, forum posts, and Telegram.
Operating primarily as a Ransomware-as-
Recorded Future
Fortinet CVE-2023-27997: Impact and Mitigation Techniques
blogs_recorded_future·CVSS 9.8
CVE-2023-27997 [CRITICAL] Fortinet CVE-2023-27997: Impact and Mitigation Techniques
## Fortinet CVE-2023-27997: Impact and Mitigation Techniques
On June 9th, Fortinet began distributing patches for a new critical vulnerability affecting Fortigate SSL VPN firewalls running on FortiOS or FortiProxy. While Fortinet has not yet released detailed information about the nature of the vulnerability, they have assigned a CVSSv3 score of 9.2 and classified it as an unauthenticated remote code execution (RCE) vulnerability based on a heap buffer overflow. Notably, even dual-factor authentication does not help in mitigating this vulnerability.
## Impact and affected versions
Over 200,000 Fortigate firewall instances are reachable from the internet, most likely vulnerable. Although there have been reports indicating that this CVE might have been exploited in a limited number of cas
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Fortinet
PSIRT Blogs
blogs_fortinet
PSIRT Blogs
PSIRT Blogs
Stay connected:
PSIRT
Analysis of Single Sign-On Abuse on FortiOS
Fortinet is proactively communicating to customers to share analysis regarding single sign-on (SSO) abuse on FortiOS.
By Carl Windsor January 22, 2026
PSIRT
Product Security Advisory and Analysis: Observed Abuse of FG-IR-19-283
This blog analysis describes the observed abuse and provides additional context so that administrators can confirm that they are not impacted and guidance based on Fortinet observations to prevent FG-IR-19-283 from being exploited.
By Carl Windsor December 24, 2025
PSIRT
Analysis of Threat Actor Activity
Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency and commits to sharing information with that goal in min
Recorded Future
What is an Attack Surface? Meaning and Examples
blogs_recorded_future
What is an Attack Surface? Meaning and Examples
# What is an Attack Surface?
Knowing your attack surface is key to securing your data. It includes all the weak points where attackers might gain unauthorized access to your systems. This article cuts through the complexities to provide a clear understanding of your attack surface and offers straightforward strategies to minimize these vulnerabilities.
## Key Takeaways
- The attack surface includes all potential vulnerabilities and entry points that attackers can leverage, divided into digital and physical components, necessitating regular assessment and mitigation to minimize cyber risks.
- Attack vectors are methods used to exploit attack surfaces, including weak passwords, outdated software, and social engineering, highlighting the need for a diverse range of security controls to pre
Recorded Future
Fortinet CVE-2023-27997: Impact and Mitigation Techniques
blogs_recorded_future·CVSS 9.8
CVE-2023-27997 [CRITICAL] Fortinet CVE-2023-27997: Impact and Mitigation Techniques
# Fortinet CVE-2023-27997: Impact and Mitigation Techniques
On June 9th, Fortinet began distributing patches for a new critical vulnerability affecting Fortigate SSL VPN firewalls running on FortiOS or FortiProxy. While Fortinet has not yet released detailed information about the nature of the vulnerability, they have assigned a CVSSv3 score of 9.2 and classified it as an unauthenticated remote code execution (RCE) vulnerability based on a heap buffer overflow. Notably, even dual-factor authentication does not help in mitigating this vulnerability.
## Impact and affected versions
Over 200,000 Fortigate firewall instances are reachable from the internet, most likely vulnerable. Although there have been reports indicating that this CVE might have been exploited in a limited number of case
Greynoiseio
GreyNoise Round-Up: Product Updates
blogs_greynoiseio
GreyNoise Round-Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
2023 Threat Analysis and 2024 Predictions
blogs_recorded_future
2023 Threat Analysis and 2024 Predictions
# 2023 Threat Analysis and 2024 Predictions
Check out our on-demand Annual Report webinar or read on for a summary of key topics and themes in the report.
2023 was a year in which cybercrime evolved in significant ways. Our 2023 annual report serves as a playbook of adversaries’ tactics, techniques, and procedures (TTPs) in 2023, with the goal of giving your security team a 360-degree view of the threat landscape. And with its predictions for 2024, the report also offers a roadmap for your enterprise. No matter where you are in your security journey, you’ll find the information you need to develop more effective security operations and strategies.
#### The influence of macro trends on the cyber threat landscape.
The report begins by reviewing key trends and events in technology, geopol
Zscaler
Remove Ivanti Zero Day Vulnerabilities with Zscaler Private
blogs_zscaler
Remove Ivanti Zero Day Vulnerabilities with Zscaler Private
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Huntress
CVE-2023-27997 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 9.8
CVE-2023-27997 [CRITICAL] CVE-2023-27997 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2023-27997 Vulnerability
Published: 10/20/2026
Written by: Nadine Rozell
## What is CVE-2023-27997 vulnerability?
CVE-2023-27997 , frequently referred to as XORtigate , is a critical remote code execution (RCE) vulnerability affecting Fortinet FortiOS and FortiProxy devices.
It is a heap-based buffer overflow located in the SSL-VPN web portal. The flaw allows an unauthenticated, remote attacker to execute arbitrary code or commands on the device by sending specifically crafted HTTP requests. Because this vulnerability is reachable pre-authentication, it bypasses security controls like Multi-Factor Authentication (MFA), making it an extremely dangerous entry point for attackers. It has been assigned a CVSS score of 9.8 (Critical) .
## When was it discovered?
CVE-2023-27997 was
NCSC
A method to assess 'forgivable' vs 'unforgivable' vulnerabilities
ncsc·2025-01-28
A method to assess 'forgivable' vs 'unforgivable' vulnerabilities
Report Download & print article PDF Download & print article PDF
## A method to assess 'forgivable' vs 'unforgivable' vulnerabilities
Research from the NCSC designed to eradicate vulnerability classes and make the top-level mitigations easier to implement. Fahmi Ruddin Hidayat via Getty ImagesOn this page
- Scope
- Background
- Research methodology
- Assessing ‘ease of implementation'
- Analysis of top-level mitigations
- Worked example: applying methodology to a recent vulnerability
- Conclusions
- References
## Executive Summary
All systems contain vulnerabilities. In fact, the number of Common Vulnerabilities and Exposures (CVEs) in commodity technology continues to rise. While there are a number of factors that are driving the increasing numbers, the NCSC expect this trend to conti
arXiv
Efficacy of EPSS in High Severity CVEs found in KEV
arxiv_fulltext·2024-11-04
Efficacy of EPSS in High Severity CVEs found in KEV
empty
empty
24pt
10pt plus 1.0pt minus 2.0pt
## Abstract
The Exploit Prediction Scoring System (EPSS) is designed to assess the probability of a vulnerability being exploited in the next 30 days relative to other vulnerabilities. The latest version, based on a research paper published in arXiv , assists defenders in deciding which vulnerabilities to prioritize for remediation. This study evaluates EPSS's ability to predict exploitation before vulnerabilities are actively compromised, focusing on high severity CVEs that are known to have been exploited and included in the CISA KEV catalog. By analyzing EPSS score history, the availability and simplicity of exploits, the system's purpose, its value as a target for Threat Actors (TAs), this paper examines EPSS's potential and identifies ar
2023-06-13
Published
2023-06-13
Added to CISA KEV
Exploited in the wild