CVE-2023-27997

CVE Published	2023-06-13
Related CWE(s)	CWE-122: Heap-based Buffer Overflow, CWE-787: Out-of-bounds Write
Related Vendor(s)	fortinet
Related Product(s)	fortiproxy, fortios, fortios-6k7k
Exploitation Reported (CISA KEV)	2023-06-13
CVSS 3 Base Score	9.8 (CRITICAL)
CVSS 3 Attack Complexity	LOW
CVSS 3 Attack Vector	NETWORK

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Cyber Threat Graph Context

Explore how this CVE relates to the wider threat graph

Threat Reports Related to CVE-2023-27997

Report

North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs

This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...

View Source

Associated CAPEC Patterns

Forced Integer Overflow (CAPEC-92)

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

References