What is CVE-2023-27997 vulnerability?
CVE-2023-27997, frequently referred to as XORtigate, is a critical remote code execution (RCE) vulnerability affecting Fortinet FortiOS and FortiProxy devices.
It is a heap-based buffer overflow located in the SSL-VPN web portal. The flaw allows an unauthenticated, remote attacker to execute arbitrary code or commands on the device by sending specifically crafted HTTP requests. Because this vulnerability is reachable pre-authentication, it bypasses security controls like Multi-Factor Authentication (MFA), making it an extremely dangerous entry point for attackers. It has been assigned a CVSS score of 9.8 (Critical).
When was it discovered?
CVE-2023-27997 was discovered by security researchers Charles Fol and Dany Bach from the French cybersecurity firm Lexfo. The vulnerability was responsibly disclosed to Fortinet, who released a security advisory (FG-IR-23-097) and patches on June 12, 2023. Public disclosure and technical details followed shortly thereafter, with researchers noting that it may have been exploited in a limited number of cases prior to the public release.
Affected products & versions
The vulnerability affects a wide range of Fortinet products that have the SSL-VPN web portal enabled.
Product | Versions Affected | Fixed Versions / Patch Links |
FortiOS | 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above |
FortiOS | 7.0.0 through 7.0.11 | Upgrade to 7.0.12 or above |
FortiOS | 6.4.0 through 6.4.12 | Upgrade to 6.4.13 or above |
FortiOS | 6.2.0 through 6.2.13 | Upgrade to 6.2.14 or above |
FortiOS | 6.0.0 through 6.0.16 | Upgrade to 6.0.17 or above |
FortiProxy | 7.2.0 through 7.2.3 | Upgrade to 7.2.4 or above |
FortiProxy | 7.0.0 through 7.0.9 | Upgrade to 7.0.10 or above |
FortiProxy | 2.0.0 through 2.0.12 | Upgrade to 2.0.13 or above |
CVE-2023-27997 technical description
The vulnerability resides in the way the SSL-VPN portal processes specific HTTP parameters, particularly within the /remote/hostcheck_validate and /remote/logincheck endpoints.
The root cause is a heap-based buffer overflow triggered by an incorrect length check when decoding the enc parameter. The application allocates a buffer based on the input size but fails to validate the payload length correctly due to a truncation error where the length is stored in an 8-bit variable instead of a larger type.
An attacker can exploit this by crafting a request with a payload length that appears valid to the truncated check but actually exceeds the allocated buffer size. This allows the attacker to write data out-of-bounds on the heap. By manipulating the heap layout—often using techniques involving "heap smashing"—attackers can overwrite critical memory structures (such as function pointers or SSL structures) to hijack the execution flow and gain control of the device.
Tactics, Techniques & Procedures (TTPs)
Attackers exploit CVE-2023-27997 primarily for Initial Access and Defense Evasion.
Reconnaissance: Threat actors scan the internet for FortiGate devices returning the Server: xxxxxxxx-xxxxx header or specific SSL certificate details to identify vulnerable firmware versions.
Exploitation: They send malicious HTTP GET or POST requests containing crafted enc parameters to the SSL-VPN interface.
Persistence: Once code execution is achieved, attackers often download lightweight binaries (like BusyBox) to open an interactive shell, allowing them to install webshells, steal configuration files, or move laterally into the internal network.
Indicators of compromise
Detecting this exploit can be challenging because the traffic is encrypted within the SSL-VPN tunnel, but several indicators exist:
System Crashes: Failed exploit attempts often cause the SSL-VPN process or the entire device to crash and reboot. Frequent, unexplained system restarts are a strong indicator.
Suspicious HTTP Requests: Look for requests to /remote/hostcheck_validate or /remote/logincheck with unusually long or malformed enc parameters in web logs.
Unknown Binaries: The presence of unrecognized files or binaries in the /tmp or other temporary directories on the appliance.
Log Anomalies: Review logs for "application crashed" events or unexpected administrative login sessions originating from the device itself.
Known proof-of-concepts & exploits
Proof-of-Concept (PoC) exploits are widely available and have been verified by multiple security firms.
Security researchers at Bishop Fox and WatchTowr developed fully functional exploits shortly after disclosure, demonstrating the ability to smash the heap and open a reverse shell on vulnerable devices. Exploitation campaigns have been observed in the wild, often targeting unpatched edge devices to deploy ransomware or conduct espionage.
How to detect CVE-2023-27997 vulnerability?
Version Checking: The most reliable detection method is to check the firmware version of your FortiGate or FortiProxy device against the "Affected Products" table above. If the version is listed, the device is vulnerable.
Response Header Analysis: Tools can query the HTTP Last-Modified header of the device's web server; dates prior to May/June 2023 suggest an unpatched firmware.
Integrity Checks: Administrators can run the diagnose sys fortiguard-service status or built-in integrity commands to check for unauthorized modifications to the file system.
Impact & risk of CVE-2023-27997 vulnerability
The risk posed by CVE-2023-27997 is Critical.
Successful exploitation grants an attacker Remote Code Execution (RCE) with the highest privileges on the device. Since Fortinet devices often sit at the perimeter of a network, a compromise here provides a perfect bridgehead for attackers to inspect traffic, decrypt VPN connections, steal credentials, and launch attacks against internal servers. It completely bypasses authentication, meaning even strong passwords and MFA offer no defense against the initial exploit.
Mitigation & remediation strategies
The only complete remediation is to patch immediately.
Upgrade Firmware: Update FortiOS or FortiProxy to the latest non-vulnerable version (e.g., 7.4.0, 7.2.5, 7.0.12, 6.4.13).
Disable SSL-VPN: If patching is not immediately possible, the only effective workaround is to disable the SSL-VPN functionality entirely. Firewall rules limiting access to the VPN portal are helpful but do not fix the underlying vulnerability if the port remains accessible to attackers.
CVE-2023-27997 Vulnerability FAQs
CVE-2023-27997 is a critical vulnerability in Fortinet SSL-VPN devices that allows remote code execution (RCE). It works by sending a malicious request that causes a "heap buffer overflow," confusing the device's memory management and allowing the attacker to run their own commands.
It does not "infect" a system like a virus but serves as a doorway for attackers. An attacker sends a specially crafted web request to the VPN login page, which crashes the memory safeguards and allows them to install malware or open a "shell" to control the device.
Yes, it remains a significant threat for any organization running outdated firmware. Because the exploit is public and easy to automate, attackers continue to scan the internet for unpatched Fortinet devices to use as entry points for ransomware attacks.
The primary protection is to upgrade the device firmware to a patched version immediately. If that is not possible, organizations must disable the SSL-VPN feature completely until the update can be applied.
Protect What Matters
