CVE-2023-27997
CVE-2023-27997 is a critical-severity vulnerability in Fortinet Fortiproxy with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-06-13). The underlying weakness is classified as CWE-787.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 86% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-06-13)
- EU (EUVD) id: EUVD-2023-31722
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-06-13)
- Weakness: CWE-787
- Affected product: Fortinet Fortiproxy
- Published:
- Last modified:
Description
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
CVE-2023-27997: Fortinet FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow (CVSS 9.8)
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2023-27997 |
| CVSS v3.1 | 9.8 (CRITICAL) |
| EPSS | 85.69% (99.7th percentile) |
| KEV | Yes — added 2023-06-13 |
| EU Exploited | Yes — since 2023-06-13 |
| CWE | CWE-787 (Out-of-bounds Write) / CWE-122 (Heap-based Buffer Overflow) |
| Vendor | Fortinet |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Summary
CVE-2023-27997 is a heap-based buffer overflow vulnerability in the SSL-VPN component of Fortinet FortiOS and FortiProxy. A remote, unauthenticated attacker can exploit this flaw by sending specifically crafted requests to the SSL-VPN endpoint, potentially achieving arbitrary code execution or command execution on the affected device.
Background
Fortinet FortiOS is the operating system powering FortiGate next-generation firewalls, and FortiProxy is a secure web gateway appliance. Both products expose SSL-VPN functionality to provide remote access for users. Given the typical deployment of these devices at network perimeters, the SSL-VPN service is often exposed to the internet, making unauthenticated vulnerabilities in this component especially dangerous.
Root Cause
The vulnerability stems from CWE-787 (Out-of-bounds Write), specifically manifesting as CWE-122 (Heap-based Buffer Overflow). The SSL-VPN handler fails to properly validate the size or content of incoming request data before writing it to a heap-allocated buffer. When an attacker sends a crafted request with an oversized or malformed payload, the buffer bounds are exceeded, corrupting adjacent heap metadata or objects. This can overwrite function pointers, vtable entries, or other sensitive control structures, ultimately leading to arbitrary code execution.
Impact
- Confidentiality: HIGH — an attacker can read sensitive data from memory or the filesystem.
- Integrity: HIGH — an attacker can modify configuration, implant backdoors, or alter logs.
- Availability: HIGH — an attacker can crash the service or render the device unresponsive.
The CVSS v3.1 score of 9.8 (CRITICAL) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects that the vulnerability is:
- Network exploitable (
AV:N) - Requires low attack complexity (
AC:L) - Needs no privileges (
PR:N) - Needs no user interaction (
UI:N)
This is a near-perfect unauthenticated remote code execution scenario.
Exploitation Walkthrough
Ethics caveat: This section describes the attack surface and defensive implications only. No working exploit code is provided.
The vulnerability is reachable through the SSL-VPN service on TCP port 443 (or the configured SSL-VPN port). The attacker sends a crafted HTTP/HTTPS request to the SSL-VPN endpoint with a malformed payload designed to trigger the heap overflow. Because the flaw is in the pre-authentication processing path, no valid credentials or VPN session are required.
Defensive considerations:
- The attack leaves network indicators: unsolicited SSL-VPN requests from unexpected source IPs, followed by anomalous process behavior or crashes.
- Devices with SSL-VPN exposed to the internet are at the highest risk.
- Attackers may chain this vulnerability with other post-exploitation techniques to establish persistence or pivot into internal networks.
Affected and Patched Versions
Affected:
- FortiOS 7.2.4 and below
- FortiOS 7.0.11 and below
- FortiOS 6.4.12 and below
- FortiOS 6.0.16 and below
- FortiProxy 7.2.3 and below
- FortiProxy 7.0.9 and below
- FortiProxy 2.0.12 and below
- FortiProxy 1.2 (all versions)
- FortiProxy 1.1 (all versions)
Patched: Versions above the affected ranges. Fortinet released updates; consult the Fortinet PSIRT advisory for specific upgrade paths.
Remediation
- Upgrade immediately. Patch to a version above the affected ranges. Given the CVSS 9.8 score and confirmed active exploitation, this is a Priority 1 patching activity.
- Disable SSL-VPN if unused. If the SSL-VPN feature is not required, disable it to eliminate the attack surface entirely.
- Restrict access. If SSL-VPN must remain enabled, restrict access to the SSL-VPN interface via firewall rules or dedicated management interfaces. Do not expose SSL-VPN to the internet unless absolutely necessary.
- Enable MFA. For all remaining SSL-VPN users, enforce multi-factor authentication (this does not block the vulnerability itself but raises the bar for follow-on access).
- Monitor for compromise. Review logs for anomalous SSL-VPN activity and scan for indicators of compromise (IoCs) related to this vulnerability.
Detection
- Network: Monitor for unexpected SSL-VPN requests from unknown or suspicious source IPs, especially large or malformed payloads.
- Endpoint: On FortiGate/FortiProxy, monitor for unexpected process crashes, high memory usage, or unauthorized CLI commands.
- Log correlation: Correlating SSL-VPN access logs with authentication failures and subsequent successful logins may reveal exploitation attempts.
- Threat intelligence: Leverage the CISA Known Exploited Vulnerabilities (KEV) catalog and EUVD-2023-31722 for updated IoCs.
Assessment
- Exploitation probability: Extremely high. EPSS is 85.69% (99.7th percentile), and the vulnerability has been actively exploited since its disclosure date (2023-06-13).
- Risk: Any internet-facing FortiOS/FortiProxy SSL-VPN endpoint running an affected version should be treated as compromised until proven otherwise.
- Lessons: (1) SSL-VPN remains a high-value attack surface for state-sponsored and ransomware actors; minimizing internet exposure and maintaining aggressive patching cadences are essential. (2) The high EPSS and KEV status confirm that CVSS 9.8+ network vulnerabilities in perimeter devices are almost always exploited at scale shortly after disclosure.
References
Frequently asked questions
- What is CVE-2023-27997?
- A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
- How severe is CVE-2023-27997?
- CVE-2023-27997 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-27997 being actively exploited?
- Yes. CVE-2023-27997 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-06-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-27997?
- CVE-2023-27997 primarily affects Fortinet Fortiproxy. In total, 13 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-27997?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-27997 have an EU (EUVD) identifier?
- Yes. CVE-2023-27997 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-31722. It is also flagged as exploited in the EUVD (since 2023-06-13).
- When was CVE-2023-27997 published?
- CVE-2023-27997 was published on 2023-06-13 and last updated on 2026-06-17.
References
- https://fortiguard.com/psirt/FG-IR-23-097
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27997
Affected products (13)
- cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.0.10:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.2.4:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.2.6:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.2.7:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.4.6:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.4.8:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.4.10:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:6.4.12:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:7.0.10:*:*:*:*:*:*:*
More vulnerabilities in Fortinet Fortiproxy
- CVE-2026-24858 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet…
- CVE-2025-59718 — Critical (CVSS 9.8): A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0…
- CVE-2025-22252 — Critical (CVSS 9.8): A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager…
- CVE-2023-25610 — Critical (CVSS 9.8): A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version…
- CVE-2024-55591 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0…
- CVE-2023-42789 — Critical (CVSS 9.8): A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through…
All CVEs affecting Fortinet Fortiproxy →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…