Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

XORtigate: FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCE

IdentifiersCVE-2023-27997CWE-122· Heap-based Buffer Overflow

CVE-2023-27997 is a critical heap-based buffer overflow in the SSL-VPN component of Fortinet FortiOS and FortiProxy. According to the provided content, the flaw exists in SSL-VPN pre-authentication processing and can be triggered by a remote attacker using specifically crafted requests. Affected versions include FortiOS 7.2.4 and below, 7.0.11 and below, 6.4.12 and below, and 6.0.16 and below, as well as FortiProxy 7.2.3 and below, 7.0.9 and below, 2.0.12 and below, and all versions of 1.2 and 1.1. Successful exploitation may allow arbitrary code or command execution on the vulnerable appliance. The content also notes Fortinet advisory FG-IR-23-097, describes the issue as occurring in SSL-VPN pre-authentication, and references limited in-the-wild exploitation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in unauthenticated remote execution of arbitrary code or commands on affected FortiOS or FortiProxy devices. The provided content also states Fortinet warned of possible data loss and OS/file corruption. Because the flaw is in an internet-facing SSL-VPN component, compromise can provide attackers with control of the appliance, enable theft of credentials and configuration data, facilitate persistence and follow-on access into internal networks, and support broader intrusion activity. The content further references observed exploitation by multiple threat actors and use of Fortinet edge-device compromises in campaigns affecting government, critical infrastructure, service providers, consultancies, and manufacturing organizations.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling SSL-VPN where it is not required, since the provided content states customers not operating SSL-VPN have mitigated risk and customers who never enabled SSL-VPN are not impacted by related SSL-VPN exploitation activity. Additional hardening measures mentioned in the content include minimizing attack surface by disabling unused features, managing devices via out-of-band methods where possible, following Fortinet hardening guidance, and reviewing systems for indicators of compromise from earlier Fortinet edge-device exploitation. Reset exposed credentials and treat device configurations as potentially compromised if exploitation is suspected.

Remediation

Patch, then assume compromise.

Upgrade affected FortiOS and FortiProxy installations to a fixed firmware release as advised by Fortinet in advisory FG-IR-23-097. The provided content states customers with SSL-VPN enabled should take immediate action to upgrade to the most recent firmware release, and that upgrading is recommended even if SSL-VPN is not in use. Organizations should also review systems for evidence of prior compromise, especially where devices remained unpatched after disclosure, and audit device configurations and credentials because compromise of the appliance may expose sensitive configuration data and authentication material.
PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).

VALID 2 / 6 TOTALView more in app
fgt-cve-2023-27997-exploitMaturityPoCVerified exploit

This repository provides a Python proof-of-concept exploit for CVE-2023-27997, a critical heap-based buffer overflow vulnerability in Fortinet FortiGate SSL-VPN (FortiOS) devices. The exploit consists of a single main script ('fgt-cve-2023-27997-exploit.py'), a README.md with detailed usage and technical background, and a requirements.txt listing dependencies (requests, urllib3, numpy, scipy). The exploit works by first retrieving a 'salt' value from the target's '/remote/info' endpoint, then crafting a ROP chain payload (demonstrated with a ping command), encrypting it, and sending it to the vulnerable '/remote/hostcheck_validate' endpoint as the 'enc' parameter. The script is designed for authorized testing and demonstrates remote code execution (RCE) without authentication. The README provides affected version ranges for FortiOS and FortiProxy, usage instructions, and technical details about the vulnerability and exploit chain. The attack vector is network-based, targeting the SSL-VPN web interface. The exploit is a PoC and requires the attacker to specify the target IP and port.

onurkerembozkurtDisclosed Apr 18, 2025pythonnetwork
xortigate-cve-2023-27997MaturityPoCVerified exploit

This repository contains a proof-of-concept (POC) exploit for CVE-2023-27997, a critical remote code execution vulnerability in Fortinet FortiGate SSL VPN devices. The main file, 'exploit.py', is a heavily commented Python script that demonstrates the exploitation process, including buffer overflow and ROP chain construction, but does not provide a fully weaponized payload. The exploit requires the attacker to specify the target (host:port) and a local callback address. It uses custom SSL/TLS connections and crafts HTTP(S) requests to the '/remote/error' endpoint on the target device. The script is intended for educational purposes and does not include fingerprinting or vulnerability checks. The README.md provides a brief overview and points to a detailed blog post for further information. The exploit demonstrates the attack vector and methodology but is not directly usable for real-world attacks without further development.

lexfoDisclosed Oct 12, 2023pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
FortinetFortiosoperating_system
FortinetFortiproxyapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

30 SOURCESView more in app
nuclei templates pull requestsNews
Mar 26, 2026
Add 5 KEV CVE templates (Fortinet, SonicWall, Qlik Sense) by ElromEvedElElyon · Pull Request #15698 · projectdiscovery/nuclei-templates · GitHub

A remote code execution vulnerability in Fortinet FortiOS SSL VPN caused by a heap buffer overflow, also referred to as XORtigate.

Read more
nuclei templates pull requestsNews
Mar 26, 2026
Add 3 KEV CVE templates (Fortinet, Citrix) by ElromEvedElElyon · Pull Request #15707 · projectdiscovery/nuclei-templates · GitHub

A heap-based buffer overflow vulnerability in Fortinet FortiOS/FortiProxy SSL-VPN, also referred to as XORtigate.

Read more
breakglass intelNews
Feb 26, 2026
Three IPs, Three Threat Actors: Forensic Dissection of a FortiGate Mass Exploitation Campaign, a Remcos RAT Deployment, and an Exposed Honeypot Research Server - Breakglass Intelligence - Breakglass Intelligence

A likely exploited FortiGate vulnerability used in the initial access phase of a mass exploitation campaign against FortiGate firewalls.

Read more
cyfirma newsNews
Feb 20, 2026
Weekly Intelligence Report - 20 February 2026 - CYFIRMA

A vulnerability (unspecified in the content) affecting Fortinet FortiOS that is listed as exploited by the threat actor UNC3886/Volt Typhoon.

Read more
+20 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence9

Every observed campaign linking this CVE to a named adversary.

Associated malware7

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-27997
NVD
nvd.nist.gov/vuln/detail/CVE-2023-27997
MITRE CWE · CWE-122
Heap-based Buffer Overflow
Vendor Advisory
fortiguard.com/psirt/FG-IR-23-097
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27997