Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now

From bleepingcomputer.com

Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices.

The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

While not mentioned in the release notes, security professionals and admins have hinted that the updates quietly fixed a critical SSL-VPN RCE vulnerability that would be disclosed on Tuesday, June 13th, 2023.

“The flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated,” reads an advisory from French cybersecurity firm Olympe Cyberdefense.

“To date, all versions would be affected, we are waiting for the release of the CVE on June 13, 2023 to confirm this information.”

Read more…