Fortinet reports a vulnerability with a CVSS score of 7.5 for FortiOS and FortiProxy and is therefore considered highly dangerous. Attackers could retrieve the administrator cookie and thus gain unauthorized access. Various updates are available from Fortinet.
Fortinet describes the security notification for the high-risk vulnerability with CVSS score 7.5 as follows: “A vulnerability with insufficiently protected credentials in FortiOS and FortiProxy could, in rare and specific cases, allow an attacker to obtain the administrator cookie by convincing the administrator to do so to visit a website controlled by malicious attackers via SSL VPN.” In this way, attackers could obtain higher rights or leak sensitive data. The vulnerability has the following identifier: CVE-2023-41677.
Affected versions of FortiOS and FortiProxy
| FortiOS 7.4 | 7.4.0 – 7.4.1 |
| FortiOS 7.2 | 7.2.0 – 7.2.6 |
| FortiOS 7.0 | 7.0.0 – 7.0.12 |
| FortiOS 6.4 | 6.4.0 – 6.4.14 |
| FortiOS 6.2 | 6.2.0 – 6.2.15 |
| FortiOS 6.0 | 6.0 all versions |
| FortiProxy 7.4 | 7.4.0 – 7.4.1 |
| FortiProxy 7.2 | 7.2.0 – 7.2.7 |
| FortiProxy 7.0 | 7.0.0 – 7.0.13 |
| FortiProxy 2.0 | 2.0 all versions |
| FortiProxy 1.2 | 1.2 all versions |
| FortiProxy 1.1 | 1.1 all versions |
About Fortinet Fortinet (NASDAQ: FTNT) protects the most valuable resources of some of the largest companies, service providers and government agencies worldwide. We offer our customers complete transparency and control over the expanding attack surface as well as the ability to meet ever higher performance requirements now and in the future. Only the Fortinet Security Fabric platform can address the most critical security challenges and protect data across the entire digital infrastructure, whether in network, application, multi-cloud or edge environments. Fortinet is # 1 when it comes to the most commonly shipped security appliances. More than 455.000 customers trust Fortinet to protect their brands. Both a technology company and a training company, the Fortinet Network Security Expert (NSE) Institute has one of the largest and most comprehensive cyber security training programs in the industry. More information on this at www.fortinet.de, in the Fortinet blog or at FortiGuard Labs.