This is a Forti-thing, so there’s a valuable target population, but I’d be surprised if a heap underflow got exploited widely. Not exploited as 0day, according to the advisory, and no hackery in the wild that I can see. There are easier Forti-targets out there than this one.

Fortinet has issued an advisory regarding a critical vulnerability in FortiOS, known as CVE-2023-25610. This vulnerability poses a significant risk of remote code execution (RCE) and affects Fortinet’s operating system. Specifically, the vulnerability resides in the administrative interface and involves a buffer underwrite bug. Exploiting this flaw, an unauthorized remote attacker can execute code by utilizing specially crafted requests.

To mitigate this vulnerability, it is crucial for affected customers to promptly apply the available patch to their FortiOS instances. Upgrading to the patched versions is highly recommended to ensure system security.

CVE-2023-25610 is a buffer underwrite (or “buffer underflow”) exploit that impacts the administrative interface of FortiOS and FortiProxy. It arises when a program writes data to a buffer with a size smaller than the data itself, resulting in the overwrite of adjacent memory locations.

Exploiting this vulnerability could empower an unauthenticated attacker to remotely execute arbitrary code on the device or launch a denial-of-service (DoS) attack on the graphical user interface (GUI). To carry out such an attack, the malicious actor would need to send specifically crafted requests to the target device.

It is worth noting that a proof of concept for this vulnerability was published on March 11, which increases the likelihood of it being exploited in real-world scenarios.

Wiz Research data reveals that approximately 9% of cloud enterprise environments remain vulnerable to this particular flaw. Moreover, among environments utilizing FortiOS, a staggering 80% have yet to apply the necessary patch to safeguard against it.

This marks the another critical vulnerability discovered in FortiOS this year, with the previous instance, CVE-2022-42475, being rapidly exploited in the wild shortly after its disclosure. Therefore, it is anticipated that this latest vulnerability will likely face similar exploitation. Especially with a a few public exploit example being available.

The following product versions are affected by CVE-2023-25610:

• FortiOS versions 7.2.0 through 7.2.3
  
• FortiOS versions 7.0.0 through 7.0.9
  
• FortiOS versions 6.4.0 through 6.4.11
  
• FortiOS versions 6.2.0 through 6.2.12
  
• All versions of FortiOS 6.0
  
• FortiProxy versions 7.2.0 through 7.2.2
  
• FortiProxy versions 7.0.0 through 7.0.8
  
• FortiProxy versions 2.0.0 through 2.0.11
  
• All versions of FortiProxy 1.2
  
• All versions of FortiProxy 1.1
  

Fortinet has also acknowledged the potential vulnerability impact on other products. However, in those cases, an attacker would only be able to initiate a denial-of-service (DoS) attack rather than achieve remote code execution (RCE).