FortiOS Remote Code Execution Vulnerability
Date of Notice: 03/10/2023
Action Level - Critical
Description
Fortinet has disclosed a vulnerability affecting certain versions of FortiOS. If exploited it could allow a remote unauthenticated attacker to execute arbitrary code or perform a denial of service attack on the administrative interface of the device. Due to the serious nature of the vulnerability we recommend investigating potentially impacted devices and updating to a fixed version if you are affected.
Affected Versions
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS version 6.2.0 through 6.2.12
- FortiOS 6.0 all versions
Note: some Fortinet devices are not vulnerable to the code execution portion of this vulnerability. Please see vendor resources for a full list.
Attack Vector
An attacker with network or local access to the FortiOS administrative interface.
Attack Feasibility
There are currently no known exploits for this vulnerability
Mitigation
If you are not able to immediately apply the patch, you can mitigate this vulnerability by restricting access to the administrative interface.
Remediation
Update to a current supported version of FortiOS.
Vendor Resources