CVE-2023-27997

Vulnerability updated 5 months ago (2024-11-29T14:34:07.770Z)

Download STIX

Preview STIX

CVE-2023-27997 is a critical vulnerability (with a CVSS score of 9.2) in FortiOS and FortiProxy, which could lead to remote code execution (RCE). This flaw, discovered in the software design or implementation, was reportedly exploited by Volt Typhoon, a state-sponsored actor based in China, as part of their LODEINFO Campaign #2 in 2023. The exploit was also found being used against other enterprise products such as Array AG (CVE-2023-28461) and Proself (CVE-2023-45727), highlighting a trend of these vulnerabilities being abused in the wild. Earlier in the month, Fortinet acknowledged that CVE-2023-27997 may have been abused in limited attacks targeting government, manufacturing, and critical infrastructure sectors. A subsequent scan of public internet-exposed Fortinet FortiOS and FortiProxy SSL-VPNs interfaces by Bishop Fox security researchers revealed that 69% of the total 490,000 interfaces scanned were vulnerable to this RCE vulnerability. Over 300,000 Fortinet firewalls were found to be at risk due to this vulnerability, adding to the concerns for Fortinet users. Despite Fortinet releasing security updates to patch the issue, more than 300,000 of FortiGate firewalls still remain unpatched against this critical remote execution flaw almost a month after the update. Among the 489,337 devices discovered by the query, there were varying degrees of vulnerability to CVE-2023-27997, known as Xortigate. Check Point IPS provides protection against this threat, however, the continued active exploitation of this vulnerability necessitates urgent attention and remediation from all Fortinet users.

Description last updated: 2024-11-21T10:28:40.621Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Fortinet

Fortios

Exploit

Fortigate

Fortiproxy

exploited

Vpn

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Volt Typhoon Threat Actor is associated with CVE-2023-27997. Volt Typhoon, a state-sponsored threat actor based in China, has been identified as a significant cybersecurity risk to critical infrastructure sectors in the United States. According to Microsoft and the Five Eyes cybersecurity and intelligence agencies, Volt Typhoon has compromised IT environments	Unspecified	4

Source Document References

Information about the CVE-2023-27997 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Canadian Centre for Cyber Security	7 days ago	Compromise and persistent access of Fortinet FortiOS products (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762) - Canadian Centre for Cyber Security
Securityaffairs	9 days ago	Symbolic Link trick lets attackers bypass FortiGate patches, Fortinet warns
CISA	10 days ago	Fortinet Releases Advisory on New Post-Exploitation Technique for Known Vulnerabilities \| CISA
Recorded Future	4 months ago	Speed and Scale: How Threat Volume and Velocity Shape Cyber Risk Narratives for Governance Bodies
Trend Micro	5 months ago	Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
CISA	5 months ago	2023 Top Routinely Exploited Vulnerabilities \| CISA
CISA	8 months ago	#StopRansomware: RansomHub Ransomware \| CISA
CISA	9 months ago	North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs \| CISA
Recorded Future	a year ago	2023 Threat Analysis and 2024 Predictions \| Recorded Future
DARKReading	a year ago	Patch Now: Critical Fortinet RCE Bug Under Active Attack
SANS ISC	a year ago	Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability - SANS Internet Storm Center
CISA	a year ago	Siemens RUGGEDCOM APE1808 with Fortigate NGFW Devices \| CISA
DARKReading	a year ago	Fortinet Warns of Yet Another Critical RCE Flaw
Recorded Future	a year ago	Fortinet CVE-2023-27997: Impact and Mitigation Techniques
CERT-EU	2 years ago	Heimdal®’s Semiannual Rundown of the Most Exploited Vulnerabilities of 2023
CERT-EU	2 years ago	Unpatched Fortinet Vulnerability Being Exploited by Threat Actors
Checkpoint	2 years ago	10th July – Threat Intelligence Report - Check Point Research
CERT-EU	2 years ago	Cyber Security Week in Review: July 7, 2023
CERT-EU	2 years ago	Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
CERT-EU	2 years ago	335,000 Fortinet FortiGate firewalls used in the world could be hacked to install ransomware