CVE-2023-41677

Name of the Vulnerable Software and Affected Versions Fortinet FortiProxy versions 1.0.0 through 1.0.7 Fortinet FortiProxy versions 1.1.0 through 1.1.6 Fortinet FortiProxy versions 1.2.0 through 1.2.13 Fortinet FortiProxy versions 2.0.0 through 2.0.13 Fortinet FortiProxy versions 7.0.0 through 7.0.12 Fortinet FortiProxy versions 7.2.0 through 7.2.6 Fortinet FortiProxy version 7.4.0 Fortinet FortiOS versions 6.0.0 through 6.0.17 Fortinet FortiOS versions 6.2.0 through 6.2.15 Fortinet FortiOS versions 6.4.0 through 6.4.14 Fortinet FortiOS versions 7.0.0 through 7.0.12 Fortinet FortiOS versions 7.2.0 through 7.2.6 Fortinet FortiOS versions 7.4.0 through 7.4.1

Description The issue is related to insufficiently protected credentials in Fortinet FortiProxy and FortiOS, which may allow an attacker to execute unauthorized code or commands via a targeted social engineering attack. This can occur when a user visits a malicious website controlled by the attacker through SSL-VPN, potentially allowing the attacker to obtain the administrator cookie in rare and specific conditions.

Recommendations For Fortinet FortiProxy versions 1.0.0 through 1.0.7, update to a fixed version. For Fortinet FortiProxy versions 1.1.0 through 1.1.6, update to a fixed version. For Fortinet FortiProxy versions 1.2.0 through 1.2.13, update to a fixed version. For Fortinet FortiProxy versions 2.0.0 through 2.0.13, update to a fixed version. For Fortinet FortiProxy versions 7.0.0 through 7.0.12, update to a fixed version. For Fortinet FortiProxy versions 7.2.0 through 7.2.6, update to a fixed version. For Fortinet FortiProxy version 7.4.0, update to a fixed version. For Fortinet FortiOS versions 6.0.0 through 6.0.17, update to a fixed version. For Fortinet FortiOS versions 6.2.0 through 6.2.15, update to a fixed version. For Fortinet FortiOS versions 6.4.0 through 6.4.14, update to a fixed version. For Fortinet FortiOS versions 7.0.0 through 7.0.12, update to a fixed version. For Fortinet FortiOS versions 7.2.0 through 7.2.6, update to a fixed version. For Fortinet FortiOS versions 7.4.0 through 7.4.1, update to a fixed version. As a temporary workaround, consider restricting access to SSL-VPN to minimize the risk of exploitation.