CVE-2023-27997

CVE-2023-27997 is a critical-severity vulnerability in Fortinet Fortiproxy with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-06-13). The underlying weakness is classified as CWE-787.

Key facts

Description

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

CVE-2023-27997: Fortinet FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow (CVSS 9.8)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2023-27997
CVSS v3.1 9.8 (CRITICAL)
EPSS 85.69% (99.7th percentile)
KEV Yes — added 2023-06-13
EU Exploited Yes — since 2023-06-13
CWE CWE-787 (Out-of-bounds Write) / CWE-122 (Heap-based Buffer Overflow)
Vendor Fortinet
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

CVE-2023-27997 is a heap-based buffer overflow vulnerability in the SSL-VPN component of Fortinet FortiOS and FortiProxy. A remote, unauthenticated attacker can exploit this flaw by sending specifically crafted requests to the SSL-VPN endpoint, potentially achieving arbitrary code execution or command execution on the affected device.

Background

Fortinet FortiOS is the operating system powering FortiGate next-generation firewalls, and FortiProxy is a secure web gateway appliance. Both products expose SSL-VPN functionality to provide remote access for users. Given the typical deployment of these devices at network perimeters, the SSL-VPN service is often exposed to the internet, making unauthenticated vulnerabilities in this component especially dangerous.

Root Cause

The vulnerability stems from CWE-787 (Out-of-bounds Write), specifically manifesting as CWE-122 (Heap-based Buffer Overflow). The SSL-VPN handler fails to properly validate the size or content of incoming request data before writing it to a heap-allocated buffer. When an attacker sends a crafted request with an oversized or malformed payload, the buffer bounds are exceeded, corrupting adjacent heap metadata or objects. This can overwrite function pointers, vtable entries, or other sensitive control structures, ultimately leading to arbitrary code execution.

Impact

  • Confidentiality: HIGH — an attacker can read sensitive data from memory or the filesystem.
  • Integrity: HIGH — an attacker can modify configuration, implant backdoors, or alter logs.
  • Availability: HIGH — an attacker can crash the service or render the device unresponsive.

The CVSS v3.1 score of 9.8 (CRITICAL) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects that the vulnerability is:

  • Network exploitable (AV:N)
  • Requires low attack complexity (AC:L)
  • Needs no privileges (PR:N)
  • Needs no user interaction (UI:N)

This is a near-perfect unauthenticated remote code execution scenario.

Exploitation Walkthrough

Ethics caveat: This section describes the attack surface and defensive implications only. No working exploit code is provided.

The vulnerability is reachable through the SSL-VPN service on TCP port 443 (or the configured SSL-VPN port). The attacker sends a crafted HTTP/HTTPS request to the SSL-VPN endpoint with a malformed payload designed to trigger the heap overflow. Because the flaw is in the pre-authentication processing path, no valid credentials or VPN session are required.

Defensive considerations:

  • The attack leaves network indicators: unsolicited SSL-VPN requests from unexpected source IPs, followed by anomalous process behavior or crashes.
  • Devices with SSL-VPN exposed to the internet are at the highest risk.
  • Attackers may chain this vulnerability with other post-exploitation techniques to establish persistence or pivot into internal networks.

Affected and Patched Versions

Affected:

  • FortiOS 7.2.4 and below
  • FortiOS 7.0.11 and below
  • FortiOS 6.4.12 and below
  • FortiOS 6.0.16 and below
  • FortiProxy 7.2.3 and below
  • FortiProxy 7.0.9 and below
  • FortiProxy 2.0.12 and below
  • FortiProxy 1.2 (all versions)
  • FortiProxy 1.1 (all versions)

Patched: Versions above the affected ranges. Fortinet released updates; consult the Fortinet PSIRT advisory for specific upgrade paths.

Remediation

  1. Upgrade immediately. Patch to a version above the affected ranges. Given the CVSS 9.8 score and confirmed active exploitation, this is a Priority 1 patching activity.
  2. Disable SSL-VPN if unused. If the SSL-VPN feature is not required, disable it to eliminate the attack surface entirely.
  3. Restrict access. If SSL-VPN must remain enabled, restrict access to the SSL-VPN interface via firewall rules or dedicated management interfaces. Do not expose SSL-VPN to the internet unless absolutely necessary.
  4. Enable MFA. For all remaining SSL-VPN users, enforce multi-factor authentication (this does not block the vulnerability itself but raises the bar for follow-on access).
  5. Monitor for compromise. Review logs for anomalous SSL-VPN activity and scan for indicators of compromise (IoCs) related to this vulnerability.

Detection

  • Network: Monitor for unexpected SSL-VPN requests from unknown or suspicious source IPs, especially large or malformed payloads.
  • Endpoint: On FortiGate/FortiProxy, monitor for unexpected process crashes, high memory usage, or unauthorized CLI commands.
  • Log correlation: Correlating SSL-VPN access logs with authentication failures and subsequent successful logins may reveal exploitation attempts.
  • Threat intelligence: Leverage the CISA Known Exploited Vulnerabilities (KEV) catalog and EUVD-2023-31722 for updated IoCs.

Assessment

  • Exploitation probability: Extremely high. EPSS is 85.69% (99.7th percentile), and the vulnerability has been actively exploited since its disclosure date (2023-06-13).
  • Risk: Any internet-facing FortiOS/FortiProxy SSL-VPN endpoint running an affected version should be treated as compromised until proven otherwise.
  • Lessons: (1) SSL-VPN remains a high-value attack surface for state-sponsored and ransomware actors; minimizing internet exposure and maintaining aggressive patching cadences are essential. (2) The high EPSS and KEV status confirm that CVSS 9.8+ network vulnerabilities in perimeter devices are almost always exploited at scale shortly after disclosure.

References

Frequently asked questions

What is CVE-2023-27997?
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.
How severe is CVE-2023-27997?
CVE-2023-27997 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-27997 being actively exploited?
Yes. CVE-2023-27997 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-06-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-27997?
CVE-2023-27997 primarily affects Fortinet Fortiproxy. In total, 13 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-27997?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-27997 have an EU (EUVD) identifier?
Yes. CVE-2023-27997 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-31722. It is also flagged as exploited in the EUVD (since 2023-06-13).
When was CVE-2023-27997 published?
CVE-2023-27997 was published on 2023-06-13 and last updated on 2026-06-17.

References

Affected products (13)

More vulnerabilities in Fortinet Fortiproxy

All CVEs affecting Fortinet Fortiproxy →

Other CWE-787 (Out-of-bounds Write) vulnerabilities

Browse all CWE-787 (Out-of-bounds Write) vulnerabilities →