CVE-2023-27997 - [KEV] - CVSS 9.8
Overview
CVE-2023-27997 is a heap-based buffer overflow vulnerability in the SSL-VPN component of Fortinet FortiOS and FortiProxy. The flaw permits an unauthenticated, remote attacker to execute arbitrary code or commands by sending specifically crafted requests to a vulnerable SSL-VPN interface. With a CVSS score of 9.8 and an EPSS score of 0.891, the vulnerability represents a critical pre-authentication remote code execution risk against internet-facing perimeter devices. CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on 2023-06-13, and the entry is flagged as known to be used in ransomware campaigns, with a maturity status of widespread exploitation.
Affected Products
- Fortinet FortiOS (SSL-VPN feature enabled)
- Fortinet FortiProxy (SSL-VPN feature enabled)
- Fortinet FortiGate 6000 series
- Fortinet FortiGate 7000 series
Any FortiGate or FortiProxy appliance exposing the SSL-VPN web portal (typically on TCP/443 or a custom port) should be considered in scope until patched to a fixed firmware build per Fortinet advisory FG-IR-23-097.
Exploitation Evidence
No direct exploitation telemetry, sample artifacts, or campaign indicators are present in the source dataset for this briefing. However, the CVE's inclusion in CISA KEV with a "widespread exploitation" maturity rating and its tagging as ransomware-associated indicate confirmed, repeated abuse in real-world intrusions. Operators of vulnerable devices should treat exposure as actively targeted rather than theoretical.
ATT&CK Mapping
No formal ATT&CK mappings are provided in the source data. Based on the vulnerability class and attack surface, the following techniques are technically applicable and should guide detection engineering:
- T1190 – Exploit Public-Facing Application: Direct exploitation of the internet-exposed SSL-VPN endpoint.
- T1133 – External Remote Services: The SSL-VPN service is the abused remote access vector.
- T1059 – Command and Scripting Interpreter: Likely follow-on post-exploitation activity on the appliance.
- T1068 – Exploitation for Privilege Escalation: Heap overflow yields code execution in the context of the vulnerable service.
Threat Actor Context
No specific threat actor attribution is included in the provided dataset. The CVE's ransomware-associated designation indicates that one or more ransomware operations have leveraged this flaw for initial access; defenders should assume both financially motivated and state-aligned interest in Fortinet SSL-VPN vulnerabilities, consistent with the broader historical targeting pattern of FortiOS edge devices.
Recommended Actions
- Patch immediately: Upgrade to fixed FortiOS versions (6.0.17, 6.2.15, 6.4.13, 7.0.12, 7.2.5 or later) and corresponding fixed FortiProxy versions per Fortinet advisory FG-IR-23-097.
- Mitigate if patching is delayed: Disable the SSL-VPN service on affected appliances until firmware can be updated. Restricting source IPs is insufficient if any untrusted IPs can reach the portal.
- Assume compromise on long-exposed devices: Given widespread exploitation since mid-2023, conduct a forensic review on devices that were unpatched and internet-exposed. Inspect SSL-VPN event logs, system event logs, admin account inventory, local users, scheduled tasks, and unusual configuration changes.
- Rotate credentials and keys: Reset all local administrator passwords, VPN user credentials, pre-shared keys, and certificates associated with the appliance after patching.
- Hunt for post-exploitation activity: Look for anomalous outbound connections from the firewall management plane, new admin accounts, modified VPN portal configurations, and lateral movement from networks reachable via the VPN.
- Reduce attack surface: Where SSL-VPN is required, enforce MFA, restrict portal access via geo/IP allow-listing, and consider migration to ZTNA or IPsec alternatives.
- Monitor Fortinet PSIRT advisories for related and follow-on SSL-VPN vulnerabilities, which have a recurring history on this attack surface.