Summary: Fortinet has disclosed a critical buffer underwrite vulnerability (CVE-2023-25610) affecting multiple versions of FortiOS and FortiProxy, with a maximum CVSS score of 9.8. This flaw in the administrative interface allows unauthenticated remote attackers to execute arbitrary code or cause denial-of-service conditions via specially crafted requests.
Executive Summary for Security Teams
The vulnerability impacts a wide range of product versions, including FortiOS 6.0 through 7.2.3 and FortiProxy 1.1 through 7.2.2. Key characteristics include:
- Critical RCE vulnerability (CVSS 9.8) requiring no authentication
- Affects administrative interfaces of FortiOS and FortiProxy
- Public proof of concept available on GitHub (Wiz Research)
- 80% of FortiOS environments remain unpatched according to security researchers
- Third critical FortiOS vulnerability this year following CVE-2022-42475
Technical Details
CVE-2023-25610 is a buffer underwrite (buffer underflow) vulnerability in the administrative interface. Buffer underflows occur when a program writes data smaller than the allocated buffer size, potentially corrupting adjacent memory locations.
Affected Products
| Product | Affected Versions | Patched Versions |
|---|---|---|
| FortiOS | 6.0.x – 7.2.3 | 6.2.13+, 6.4.12+, 7.0.10+, 7.2.4+, 7.4.0+ |
| FortiProxy | 1.1.x – 7.2.2 | 2.0.12+, 7.0.9+, 7.2.3+ |
| FortiOS-6K7K | 6.2.0-6.2.10, 6.4.0-6.4.10, 7.0.5 | 6.2.13+, 6.4.12+, 7.0.10+ |
Detection and Mitigation
Identifying Vulnerable Systems
Security teams can identify vulnerable instances using the following CLI command:
get system status | grep VersionOrganizations can also use pre-built queries in the Qualys ThreatPROTECT (QID 43990) or other vulnerability scanners.
Remediation Steps
Fortinet recommends immediate upgrading to patched versions. For systems that cannot be immediately updated:
- Disable HTTP/HTTPS administrative interface:
config system global set admin-https-port 0 set admin-http-port 0 end - Restrict access via local-in-policy:
config firewall local-in-policy edit 1 set intf port1 set srcaddr TRUSTED_IPS set dstaddr all set action accept set service HTTPS HTTP next edit 2 set intf any set srcaddr all set dstaddr all set action deny set service HTTPS HTTP end
Operational Impact
This vulnerability poses significant risk due to:
- Fortinet devices being common perimeter assets
- Administrative interfaces often being exposed for management
- Previous FortiOS vulnerabilities being rapidly weaponized
- The buffer underflow primitive allowing precise memory manipulation
Conclusion
CVE-2023-25610 represents a serious threat to organizations using vulnerable Fortinet devices. The combination of remote, unauthenticated exploitation and public proof of concept increases the urgency for remediation. Security teams should:
- Inventory all FortiOS/FortiProxy instances
- Verify interface exposure (particularly HTTPS/HTTP admin)
- Implement compensating controls if patching is delayed
