Fortinet addressed a critical buffer underwrite (‘buffer underflow’) vulnerability, tracked as CVE-2023-25610 (CVSS v3 9.3), that resides in the administrative interface in FortiOS and FortiProxy. A remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary code on the vulnerable device and trigger a DoS condition on the GUI, by sending specifically crafted requests.
The vulnerability affects the following products:
The security vendor released the following updates to address the issue:
The company announced that it is not aware of attacks in the wild exploiting this vulnerability.
The advisory includes a list of models for which the flaw’s exploitation can only trigger a DoS condition.
Fortinet also provides a workaround for the flaw, the company recommends disabling the HTTP/HTTPS administrative interface or limiting the IP addresses that can reach the administrative interface.
The security vendor acknowledged Kai Ni from the Burnaby InfoSec team for reporting the flaw.
(SecurityAffairs – hacking, FortiOS)