Fortigate SSL-VPN Remote Code Execution vulnerability

All FortiGate devices running FortiOS with SSL-VPN enabled are potentially at risk.

• FortiOS-6K7K version 7.0.10

• FortiOS-6K7K version 7.0.5

• FortiOS-6K7K version 6.4.12

• FortiOS-6K7K version 6.4.10

• FortiOS-6K7K version 6.4.8

• FortiOS-6K7K version 6.4.6

• FortiOS-6K7K version 6.4.2

• FortiOS-6K7K version 6.2.9 through 6.2.13

• FortiOS-6K7K version 6.2.6 through 6.2.7

• FortiOS-6K7K version 6.2.4

• FortiOS-6K7K version 6.0.12 through 6.0.16

• FortiOS-6K7K version 6.0.10

• FortiProxy version 7.2.0 through 7.2.3

• FortiProxy version 7.0.0 through 7.0.9

• FortiProxy version 2.0.0 through 2.0.12

• FortiProxy 1.2 all versions

• FortiProxy 1.1 all versions

• FortiOS version 7.2.0 through 7.2.4

• FortiOS version 7.0.0 through 7.0.11

• FortiOS version 6.4.0 through 6.4.12

• FortiOS version 6.2.0 through 6.2.13

• FortiOS version 6.0.0 through 6.0.16

FortiSASE is no longer impacted, issue remediated Q2/23

Upgrade your devices running FortiOS to the latest version as soon as possible.

• upgrade to FortiOS-6K7K version 7.0.12 or above
• upgrade to FortiOS-6K7K version 6.4.13 or above
• upgrade to FortiOS-6K7K version 6.2.15 or above
• upgrade to FortiOS-6K7K version 6.0.17 or above
• upgrade to FortiProxy version 7.2.4 or above
• upgrade to FortiProxy version 7.0.10 or above
• upgrade to FortiProxy version 2.0.13 or above
• upgrade to FortiOS version 7.4.0 or above
• upgrade to FortiOS version 7.2.5 or above
• upgrade to FortiOS version 7.0.12 or above
• upgrade to FortiOS version 6.4.13 or above
• upgrade to FortiOS version 6.2.14 or above
• upgrade to FortiOS version 6.0.17 or above

For alternative mitigations, CERT NZ recommends disabling SSL-VPN.