CVE-2023-27997

Summary

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiOS-6K7K7.0.10affected
FortinetFortiOS-6K7K7.0.5affected
FortinetFortiOS-6K7K6.4.12affected
FortinetFortiOS-6K7K6.4.10affected
FortinetFortiOS-6K7K6.4.8affected
FortinetFortiOS-6K7K6.4.6affected
FortinetFortiOS-6K7K6.4.2affected
FortinetFortiOS-6K7K6.2.9 <= 6.2.13affected
FortinetFortiOS-6K7K6.2.6 <= 6.2.7affected
FortinetFortiOS-6K7K6.2.4affected
FortinetFortiOS-6K7K6.0.12 <= 6.0.16affected
FortinetFortiOS-6K7K6.0.10affected
FortinetFortiProxy7.2.0 <= 7.2.3affected
FortinetFortiProxy7.0.0 <= 7.0.9affected
FortinetFortiProxy2.0.0 <= 2.0.12affected
FortinetFortiProxy1.2.0 <= 1.2.13affected
FortinetFortiProxy1.1.0 <= 1.1.6affected
FortinetFortiOS7.2.0 <= 7.2.4affected
FortinetFortiOS7.0.0 <= 7.0.11affected
FortinetFortiOS6.4.0 <= 6.4.12affected
FortinetFortiOS6.2.0 <= 6.2.13affected
FortinetFortiOS6.0.0 <= 6.0.16affected

Weaknesses

  • CWE-122: Execute unauthorized code or commands

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References