On Tuesday, March 7, 2023, Fortinet published a security advisory detailing an unauthenticated remote code execution vulnerability affecting FortiOS and FortiProxy (CVE-2023-25610). The vulnerability was internally discovered by Fortinet, and exploitation has not been observed in the wild at this time. A proof of concept (PoC) exploit has not been published publicly for this vulnerability at this time.
As demonstrated in CISA’s Known Exploited Vulnerabilities Catalog, threat actors have actively exploited similar Fortinet vulnerabilities in the past in multiple instances. Due to the severity of the vulnerability and the fact that similar vulnerabilities have been weaponized by threat actors, Arctic Wolf strongly recommends upgrading to the latest available versions of FortiOS and FortiProxy on all affected devices.
Recommendations for CVE-2023-25610
Recommendation #1: Upgrade FortiOS and FortiProxy on affected devices
Arctic Wolf strongly recommends upgrading devices running FortiOS as well as FortiProxy appliances to the latest versions to fully remediate the vulnerabilities and prevent potential exploitation.
Product | Impacted Versions | Fixed Versions |
FortiOS | FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.9 FortiOS version 6.4.0 through 6.4.11 FortiOS version 6.2.0 through 6.2.12 FortiOS 6.0 all versions |
FortiOS version 7.4.0 or above FortiOS version 7.2.4 or above FortiOS version 7.0.10 or above FortiOS version 6.4.12 or above FortiOS version 6.2.13 or above FortiOS-6K7K version 7.0.10 or above FortiOS-6K7K version 6.4.12 or above FortiOS-6K7K version 6.2.13 or above |
FortiProxy | FortiProxy version 7.2.0 through 7.2.2 FortiProxy version 7.0.0 through 7.0.8 FortiProxy version 2.0.0 through 2.0.11 FortiProxy 1.2 all versions FortiProxy 1.1 all versions |
FortiProxy version 7.2.3 or above FortiProxy version 7.0.9 or above FortiProxy version 2.0.12 or above |
Fortinet has noted that certain devices are only affected by a denial of service (DoS) for this vulnerability, and that any device not listed on the advisory which is running a vulnerable version of FortiOS is at risk of remote code execution. Arctic Wolf recommends upgrading all devices running vulnerable versions of FortiOS, regardless of whether they are listed on the advisory as DoS only. For more details on which devices fall into this category, please review the advisory provided by Fortinet.
Note: Arctic Wolf recommends following change management best practices for applying security patches, including testing changes in a testing environment before deploying to production to avoid any operational impact.
Recommendation #2: Do not expose management interfaces to the public internet
The management interface described in this bulletin should never be listening on a public interface. To avoid being targeted in a mass automated exploitation campaign, we recommend that organizations review their firewall configurations and ensure that no such devices are exposed publicly.
Recommendation #3: Explore Optional Workaround
Optionally, if unable to apply a patch for this vulnerability to devices running FortiOS, Fortinet has provided a workaround in their advisory that can be applied on the appliances directly. See the advisory for detailed instructions.