XORTIGATE Vulnerability : Unmasking Critical Threats in Fortinet’s FortiOS and FortiProxy SSL-VPN (CVE-2023-27997)

Published On : 2023-07-12
Share :
XORTIGATE Vulnerability : Unmasking Critical Threats in Fortinet’s FortiOS and FortiProxy SSL-VPN (CVE-2023-27997)


This research by the CYFIRMA Research team investigates a critical vulnerability, tracked as CVE-2023-27997, affecting FortiOS and FortiProxy SSL-VPN, a popular operating system and VPN, used in their security products. The vulnerability, known as XORTIGATE, has the potential for remote code execution (RCE) and is being exploited in recent attacks.


The vulnerability poses a significant risk to organizations as it enables remote code execution (RCE) and has already been exploited in recent attacks. The XORTIGATE vulnerability arises from an insecure deserialization flaw found in the SSL VPN portal, allowing attackers to execute arbitrary code with privileges of the targeted user.

Fortinet has identified the affected versions of FortiOS, which include 6.0 to 7.2.4, for FortiProxy 1.1.0 to 7.2.3. Organizations utilizing these versions must act swiftly to patch or upgrade their systems to protect against potential attacks.


Key Takeaways:

  • XORTIGATE (CVE-2023-27997) is a severe vulnerability found in FortiOS and FortiProxy SSL-VPN, which could allow attackers to execute arbitrary code remotely.
  • The vulnerability may have been exploited in recent attacks, making it a critical concern for organizations using Fortinet’s products.
  • Affected versions of FortiOS include 6.0 to 7.2.4, and for FortiProxy 1.1.0 to 7.2.3, emphasizing the need for immediate patching or upgrades.
  • Organizations utilizing FortiOS and FortiProxy SSL-VPN are advised to apply the latest security patches and firmware updates promptly to mitigate the risk of exploitation.


The XORTIGATE vulnerability (CVE-2023-27997) was discovered and responsibly reported by researchers. Their expertise and efforts in identifying and disclosing the flaw have contributed to enhancing the overall cybersecurity landscape.


Vulnerability type: Remote Code Execution (RCE)
CVE ID: CVE-2023-27997
CVSS Severity Score: 9.8 [Critical]
Application: Fortinet FortiOS and FortiProxy
Impact: Remote code execution, unauthorized access, data breaches, network compromise
Severity: Critical
Affected Versions: FortiOS 6.0 – 7.2.4, FortiProxy 1.1.0 – 7.2.3 Patched Available: Yes


CYFIRMA Research has analysed multiple sources, reporting on the XORTIGATE vulnerability, CVE-2023-27997. This vulnerability affects FortiOS and FortiProxy SSL-VPN, an operating system widely utilized in their security products, including firewalls and VPN solutions. It arises from an insecure deserialization flaw present in the SSL VPN portal, allowing an attacker to exploit it remotely.

The vulnerability, classified as critical, enables attackers to execute arbitrary code with the privileges of the targeted user. It has the potential to compromise the confidentiality, integrity, and availability of affected systems. Successful exploitation of this flaw could result in unauthorized access, data exfiltration, network compromise, or complete control of the target system.

The exact details of the attacks are not disclosed, the potential impact of successful exploitation raises significant concerns for organizations utilizing FortiOS and FortiProxy SSL-VPN.

Shodan’s data reveals that over 200,000 Fortigate firewalls are currently accessible on the Internet, indicating a substantial presence of these devices. Given the vulnerability’s impact on earlier firmware versions, it is highly likely that a considerable portion of these firewalls remain susceptible to potential attacks. This underscores the urgent need for users to assess and address their Fortigate firewall configurations to mitigate the associated risks.


If successfully exploited, the XORTIGATE vulnerability (CVE-2023-27997) poses serious risks to organizations. The potential impacts include:

  • Remote code execution: Attackers could execute arbitrary code remotely on vulnerable systems, leading to unauthorized access, data breaches, or complete system compromise.
  • Confidentiality breaches: Sensitive data transmitted through Fortinet’s security products could be accessed and exfiltrated by attackers.
  • Network compromise: Exploiting this vulnerability could allow attackers to gain a foothold in an organization’s network, potentially enabling lateral movement and further compromise of critical assets.
  • Disruption of services: Attackers may disrupt the availability of affected systems, impacting normal business operations and causing financial losses.


The XORTIGATE vulnerability (CVE-2023-27997) impacts the following versions of FortiOS and FortiProxy SSL-VPN:

  • Versions 6.0 to 7.2.4
  • Versions 1.1.0 to 7.2.3


  • Is there already an exploit tool to attack this vulnerability? No, as of now, there is no known public exploit tool available for the XORTIGATE vulnerability (CVE-2023- 27997).
  • Has this vulnerability already been used in an attack? While there is no specific information confirming whether the XORTIGATE vulnerability has been exploited, it is prudent to consider the possibility of active exploitation. But as the vulnerability is Critical, organizations should remain vigilant and actively monitor their systems for any signs of compromise.
  • Are hackers discussing this vulnerability in the Deep/Dark Web? Currently, there is no evidence to indicate that hackers are actively discussing or exploiting the XORTIGATE vulnerability in the Deep/Dark Web. However, we will do continuous monitoring of underground forums and channels, as it is necessary to stay updated on any emerging discussions or potential threats.
  • What is the attack complexity level? The attack complexity level for the XORTIGATE vulnerability is considered low. Exploiting this vulnerability requires an authenticated user to insert a malicious payload into the affected SSL VPN portal, which can be achieved through relatively straightforward means.
  • According to historical trends and the known exploits catalogue, threat actors have shown a propensity to exploit vulnerabilities in FortiOS and FortiProxy SSL-VPN and similar security products to gain unauthorized access and conduct lateral movement within targeted environments. Given this pattern, it is important to acknowledge that threat actors may attempt to exploit the XORTIGATE vulnerability to compromise the security of affected systems, potentially resulting in unauthorized access, data breaches, or network compromise.


The bug discovered is in the web interface used for VPN authentication, which is exposed to the internet. By sending a specially crafted HTTP parameter named “enc” to the path “/remote/hostcheck_validate,” an attacker can trigger a heap overflow bug.

The “enc” parameter contains encrypted data, including a seed, size, and actual data. The seed is used to compute a XOR keystream, and the other states of the keystream are calculated based on the previous state.

By XORing the keystream with the encrypted payload, the data can be decrypted. However, there is a bug in the code that handles the decryption process. The length of the payload is compared to the length of the given data, but due to a mismatch in the encoding, the given length can be twice as big as it should be. This bug allows an attacker to overwrite memory beyond the allocated buffer and XOR it with MD5 hashes.

To exploit this vulnerability, researchers explored various ideas. One approach involves modifying pointers by XORing them with a specific value, but it requires finding suitable MD5 hashes and may result in garbled data before the modified pointer. Another approach involves leveraging the underlying allocator, jemalloc, which allows for contiguous allocations and consistent allocation at the same memory address. By triggering the bug twice with the same parameters, it becomes possible to XOR bytes with the same value, except for one byte that can be set to zero. This provides a way to edit bytes in memory.

We also see a more efficient method for overwriting multiple bytes at once by applying the primitive with different seeds and lengths. By carefully computing the seeds, it becomes possible to set specific bytes to desired values. It’s important to note that this is a highly technical and detailed vulnerability analysis.


To detect the vulnerability in Fortigate devices, Fortigate users can employ the following method using the command line interface (CLI):

Run the command “diagnose sys fortiguard-service status” on the Fortigate device. The output will display the FortiOS Version. If the version is 7.2.5 or higher, it indicates that the device is not vulnerable. However, if the version is lower than these specified numbers, the device is considered vulnerable and requires immediate patching.

Alternatively, users can utilize external tools like Nmap or Shodan to scan their Fortigate devices for open ports associated with SSL VPN, such as port 443 or 10443. By examining the banner information retrieved, users can identify the FortiOS version number and determine if their devices are susceptible to the vulnerability.

Taking these detection measures will assist Fortigate users in identifying the vulnerability status of their devices and enable them to take appropriate actions such as applying patches or updates to secure their systems.


To mitigate the risks associated with the XORTIGATE vulnerability, organizations are strongly advised to follow these steps:

  • Apply security patches: Fortinet has released security patches addressing this vulnerability. Organizations should promptly apply these patches to all affected FortiOS devices.
  • Update firmware: If upgrading to a non-affected FortiOS version is feasible, it is recommended to update the firmware to the latest version available.
  • Monitor network activity: Implement robust network monitoring.


Target Geography:

Based on the available information regarding the XORTIGATE vulnerability (CVE-2023- 27997) in FortiOS and FortiProxy SSL-VPN, it can potentially impact organizations worldwide that utilize Fortinet’s security products with the affected versions. Fortinet’s products are widely used globally, making the vulnerability relevant to organizations in various geographical regions.

Attackers may target organizations in regions where Fortinet products are heavily deployed, including North America, Europe, Asia-Pacific, and other regions with a significant presence of Fortinet infrastructure. The widespread use of Fortinet’s products in these regions increases the potential attack surface and the likelihood of finding vulnerable systems.

Target Industry:

The XORTIGATE vulnerability in FortiOS and FortiProxy SSL-VPN can impact organizations across various industries that rely on Fortinet’s security solutions. These industries include but are not limited to healthcare, finance, government, telecommunications, and critical infrastructure sectors.

Threat actors may selectively target industries that handle sensitive information or have a higher reliance on Fortinet’s products. The potential impacts of a successful exploitation, such as unauthorized access, data breaches, and network compromise, make these industries attractive targets for attackers, seeking to exploit the vulnerability.

Target Technology:

The XORTIGATE vulnerability (CVE-2023-27997) specifically affects FortiOS and FortiProxy SSL-VPN, the operating system used in their security products. As Fortinet is a prominent provider of cybersecurity solutions, the vulnerability is limited to organizations utilizing Fortinet’s infrastructure, including their firewalls, VPN solutions, and related products.

However, it is essential to note that the potential impact of the vulnerability extends beyond Fortinet’s products. Successful exploitation of the vulnerability can lead to unauthorized access, data breaches, and potential compromise of an organization’s overall technology infrastructure, including network devices, servers, and other connected systems.

Understanding the specific target geography, industries, and technologies affected by the XORTIGATE vulnerability assists organizations in prioritizing their security measures, applying necessary patches, and implementing proactive security controls to mitigate the risk of exploitation.


From underground forums, CYFIRMA Research team has observed that unknown hackers are selling Fortinet and Other Major product RCE Exploits.

Organizations and individuals using FortiOS and FortiProxy SSL-VPN are advised to remain vigilant and take proactive measures to protect their systems from potential attacks related to the XORTIGATE vulnerability (CVE-2023-27997). This includes promptly applying any available patches or security updates released by Fortinet to mitigate the vulnerability.


The XORTIGATE vulnerability (CVE-2023-27997) in FortiOS and FortiProxy SSL-VPN poses a significant risk to organizations utilizing the affected versions. With a low attack complexity level and the potential for remote code execution, unauthorized access, and network compromise, prompt mitigation is crucial. While there is currently no public exploit tool, the absence of proof-of-concept does not guarantee protection. Continuous monitoring is essential as threat actors may attempt to exploit this vulnerability in the near term. As a research company, CYFIRMA emphasizes the importance of proactive vulnerability management, patching, and staying informed through reliable sources to protect against emerging threats.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.