Researchers report that a massive number of businesses have been slow to patch their Fortigate firewalls against a high-severity vulnerability in Fortinet’s operating system for the devices, FortiOS — underscoring the challenges of addressing flaws that affect essential security appliances.
According to researchers at offensive security firm Bishop Fox, 69 percent of Fortigate firewalls remain unpatched against a critical FortiOS vulnerability, tracked at CVE-2023-27997, weeks after fixes became available.
That amounts to roughly 336,000 Fortigate devices that are believed to be susceptible to the vulnerability, which can be exploited by a malicious actor to remotely execute code, according to the post from Bishop Fox researchers Friday.
A remote code execution (RCE) flaw impacting a key security appliance such as a firewall is “about as bad as it can get,” said Andrew Barratt, vice president at Greenwood Village, Colo.-based cybersecurity services firm Coalfire, in email comments Monday.
“When a vulnerability in that very device makes it also the entry point for an intruder, typically they’re going to have very broad, far-reaching access to other network segments, if not the whole environment,” Barratt said in the email comments.
The significant number of unpatched firewalls, at this stage, is likely the result of businesses’ inability to take the appliances offline for deployment and testing of the patches, he said.
Fortinet released patches for the issue on June 9, and disclosed on June 12 that the vulnerability “may have been exploited.”
CRN has reached out to Fortinet for comment.
The vulnerability has received a severity rating of 9.8 out of 10.0. The fixes are available in FortiOS versions 7.2.5 or above, 7.0.12 or above, 6.4.13 or above, 6.2.14 or above and 6.0.17 or above.