What is Fortinet FortiOS SSL-VPN?
Fortinet FortiOS and FortiProxy are the operating systems running on Fortinet's FortiGate firewalls and FortiProxy web proxies. The SSL-VPN feature (available as a web-based portal and tunnel client) allows remote employees and third parties to connect to corporate networks via HTTPS-based VPN. Fortinet SSL-VPN appliances are deployed at the perimeter of corporate and government networks worldwide and are a consistent high-priority target for ransomware groups and nation-state actors — perimeter VPN compromise provides immediate access to internal networks without requiring further lateral movement past the firewall.
Overview
CVE-2023-27997, nicknamed "XORtigate" by researchers at Lexfo Security, is a critical pre-authentication heap-based buffer overflow in Fortinet FortiOS and FortiProxy SSL-VPN functionality. An unauthenticated remote attacker can send specially crafted requests to exploit the buffer overflow and achieve remote code execution on the VPN gateway. Fortinet silently patched the vulnerability before Lexfo's public disclosure; CISA added it to KEV the same day it was formally published. Both ransomware groups and nation-state actors rapidly exploited unpatched Fortinet VPN appliances following disclosure.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| FortiOS 7.2.x | < 7.2.5 | 7.2.5 |
| FortiOS 7.0.x | < 7.0.12 | 7.0.12 |
| FortiOS 6.4.x | < 6.4.13 | 6.4.13 |
| FortiOS 6.2.x | < 6.2.15 | 6.2.15 |
| FortiProxy 7.2.x | < 7.2.4 | 7.2.4 |
| FortiProxy 7.0.x | < 7.0.10 | 7.0.10 |
Technical Details
CWE-122 (Heap-Based Buffer Overflow). The SSL-VPN pre-authentication code path in FortiOS and FortiProxy contains a heap-based buffer overflow in the processing of SSL VPN WebSocket connections. When handling certain crafted SSL/TLS requests before any authentication occurs, the code copies user-controlled data into a heap buffer without adequate bounds checking. The resulting overflow corrupts adjacent heap memory in a controllable way, enabling an attacker to achieve arbitrary code execution in the context of the VPN daemon process.
The pre-authentication nature (no credentials required) means any internet-accessible Fortinet SSL-VPN listener is vulnerable. The name "XORtigate" references the XOR-based obfuscation pattern Lexfo identified in the vulnerable code path.
Discovery
Discovered by Charles Fol and Dany Bach at Lexfo Security, who named it XORtigate and coordinated disclosure with Fortinet. Fortinet patched silently before Lexfo's public disclosure — a practice that provides a brief window for enterprises to patch before public PoC development, but that Lexfo's publication closed rapidly.
Exploitation Context
Following disclosure, two distinct threat actor categories exploited CVE-2023-27997 against unpatched Fortinet VPN appliances:
Nation-state actors: Volt Typhoon (Chinese state-sponsored) and other APT groups targeted Fortinet VPNs to gain persistent access to critical infrastructure and government networks for long-term espionage operations.
Ransomware groups: Multiple ransomware operators (including affiliates of LockBit, Akira, and others) incorporated the vulnerability into their initial access arsenal, targeting enterprises with unpatched Fortinet appliances for rapid network access and ransomware deployment.
Fortinet SSL-VPN appliances are pervasive across enterprise and government environments, and the long tail of unpatched deployments provides ransomware and espionage actors with a sustained targeting opportunity even months after patch release.
Remediation
- Upgrade FortiOS and FortiProxy to the patched versions listed above immediately — prioritize internet-facing SSL-VPN appliances.
- If immediate patching is not possible, disable SSL-VPN functionality as a temporary measure (
config vpn ssl settings / set status disable). - Check FortiGate logs for signs of exploitation: unexpected process crashes, suspicious SSL-VPN authentication events from unusual source IPs, or anomalous traffic patterns on the VPN interface.
- Review FortiGate for web shells or persistent implants installed post-exploitation: check for unexpected files in the FortiOS filesystem, unusual administrative accounts, and configuration changes.
- After patching, rotate all VPN credentials and review any internal access that occurred via VPN sessions during the vulnerable window.
- Restrict management access to FortiGate appliances (HTTPS admin, SSH) to trusted management networks only.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-27997 |
| Vendor / Product | Fortinet — FortiOS and FortiProxy SSL-VPN |
| NVD Published | 2023-06-13 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-122 find similar ↗ |
| CISA KEV Added | 2023-06-13 |
| CISA KEV Deadline | 2023-07-04 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-06-11 | Fortinet releases patches for CVE-2023-27997 (FG-IR-23-097) — silently before full disclosure |
| 2023-06-12 | Lexfo Security publishes 'XORtigate' research publicly describing the vulnerability |
| 2023-06-13 | CVE-2023-27997 published; CISA adds to KEV same day |
| 2023-07-04 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Fortinet PSIRT Advisory FG-IR-23-097 — CVE-2023-27997 | Vendor Advisory |
| NVD — CVE-2023-27997 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |