CVE-2023-27997 Fortinet CVE debrief

Who should care

Security, network, and infrastructure teams responsible for Fortinet FortiOS or FortiProxy SSL-VPN; VPN appliance administrators; SOC and incident response teams; and asset owners who manage patch SLAs for externally reachable remote-access services.

Technical summary

The supplied records describe the issue as a heap-based buffer overflow affecting Fortinet's SSL-VPN functionality in FortiOS and FortiProxy. The corpus does not provide affected version ranges, exploitation mechanics, or proof-of-concept details. CISA's KEV entry identifies the vulnerability as known exploited and points to Fortinet PSIRT advisory FG-IR-23-097 for vendor instructions.

Defensive priority

Critical / immediate

Recommended defensive actions

• Apply Fortinet updates per vendor instructions and the referenced PSIRT advisory FG-IR-23-097.
• Inventory all FortiOS and FortiProxy SSL-VPN deployments, including appliances used for remote access, failover, or disaster recovery.
• Confirm whether any exposed VPN endpoints were running during the KEV due date window and review relevant authentication, VPN, and administrative logs for suspicious activity.
• If remediation cannot be completed immediately, follow vendor and CISA guidance for temporary risk reduction and restrict access to the VPN service as much as operationally possible.
• Escalate to incident response if there are signs of compromise, given CISA's KEV status and the 'known ransomware campaign use' flag.

Evidence notes

Evidence is limited to the supplied CVE record, the CISA KEV metadata, and the official reference links. The CVE was published and modified on 2023-06-13. CISA lists CVE-2023-27997 as a known exploited vulnerability, with a due date of 2023-07-04, and the supplied metadata marks known ransomware campaign use as 'Known'. The source metadata also references Fortinet PSIRT FG-IR-23-097 and the NVD record.

Official resources