Skip to content

Defense Digests

Buffer Underflow Vulnerability in FortiOS and FortiProxy

Dataprise Defense Digest 550x550

Table of content

Dataprise Defense Digest

ID: D3-2023-0003-1

Severity: CRITICAL (9)

Published: March, 9th 2023


Fortinet has disclosed a critical vulnerability in their FortiOS and FortiProxy products. This vulnerability can allow an unauthenticated attacker to execute arbitrary code or perform a Denial of Service (DoS) on the Graphical User Interface (GUI) of vulnerable devices. This is a buffer underflow vulnerability being tracked as CVE-2023-25610 with a CVSS v3 score of 9.3. This type of vulnerability occurs when a program tries to read more data from a memory buffer than is available, resulting in accessing adjacent memory locations, leading to risky behavior or crashes. At the time of this writing, Fortinet has not observed any attempts in the wild to exploit these vulnerabilities.

Dataprise is aware of the critical nature of this vulnerability and has completed a review of all available analyses of these vulnerabilities and the potential impact on our clients. This has been a major exercise as the investigation requires that a specific order of actions is taken to achieve the response objectives. Right now, our teams are working to confirm whether the recommended mitigation steps can be applied without causing any customer-facing service interruptions. If your organization’s Fortinet appliance is covered under a Dataprise Managed Service agreement, we will send a follow-up communication with details on our mitigation efforts.


Using a specially crafted request to the GUI of a vulnerable FortiOS or FortiProxy, an unauthorized attacker can execute arbitrary code or cause a DoS against the GUI of the appliance.

The following affected FortiOS and FortiProxy versions are vulnerable.

  • FortiOS version 7.2.0 through 7.2.3
  • FortiOS version 7.0.0 through 7.0.9
  • FortiOS version 6.4.0 through 6.4.11
  • FortiOS version 6.2.0 through 6.2.12
  • FortiOS 6.0 all versions
  • FortiProxy version 7.2.0 through 7.2.2
  • FortiProxy version 7.0.0 through 7.0.8
  • FortiProxy version 2.0.0 through 2.0.11
  • FortiProxy 1.2 all versions
  • FortiProxy 1.1 all versions

Even when running a vulnerable FortiOS version, the hardware devices listed below are ONLY impacted by the DoS part of the issue, *not* by the arbitrary code execution (non-listed devices are vulnerable to both): 

  • FortiGateRugged-100C
  • FortiGate-100D
  • FortiGate-200C
  • FortiGate-200D
  • FortiGate-300C
  • FortiGate-3600A
  • FortiGate-5001FA2
  • FortiGate-5002FB2
  • FortiGate-60D
  • FortiGate-620B
  • FortiGate-621B
  • FortiGate-60D-POE
  • FortiWiFi-60D
  • FortiWiFi-60D-POE
  • FortiGate-300C-Gen2
  • FortiGate-300C-DC-Gen2
  • FortiGate-300C-LENC-Gen2
  • FortiWiFi-60D-3G4G-VZW
  • FortiGate-60DH
  • FortiWiFi-60DH
  • FortiGateRugged-60D
  • FortiGate-VM01-Hyper-V
  • FortiGate-VM01-KVM
  • FortiWiFi-60D-I
  • FortiGate-60D-Gen2
  • FortiWiFi-60D-J
  • FortiGate-60D-3G4G-VZW
  • FortiWifi-60D-Gen2
  • FortiWifi-60D-Gen2-J
  • FortiWiFi-60D-T
  • FortiGateRugged-90D
  • FortiWifi-60D-Gen2-U
  • FortiGate-50E
  • FortiWiFi-50E
  • FortiGate-51E
  • FortiWiFi-51E
  • FortiWiFi-50E-2R
  • FortiGate-52E
  • FortiGate-40F
  • FortiWiFi-40F
  • FortiGate-40F-3G4G
  • FortiWiFi-40F-3G4G
  • FortiGate-40F-3G4G-NA
  • FortiGate-40F-3G4G-EA
  • FortiGate-40F-3G4G-JP
  • FortiWiFi-40F-3G4G-NA
  • FortiWiFi-40F-3G4G-EA
  • FortiWiFi-40F-3G4G-JP
  • FortiGate-40F-Gen2
  • FortiWiFi-40F-Gen2


The buffer overflow vulnerabilities in TPM 2.0 arise from how the specification processes the parameters for some TPM commands. The flaws allow an authenticated local attacker to exploit them by sending maliciously crafted commands to execute code within the TPM. This could result in information disclosure or escalation of privileges, leading to unauthorized access to sensitive data. The Trusted Computing Group, the developer of the TPM specification, explains that the buffer overflow problems concern reading or writing 2 bytes after the end of the buffer is passed to the ExecuteCommand() entry point.

The impact of the vulnerabilities depends on what vendors have implemented on that memory location. If it is unused memory, the impact may be minimal. However, if it contains live data, such as cryptographic keys, the impact could be severe.


Patches are available for all affected FortiOS and FortiProxy versions and it is recommended that you apply these patches immediately.

Please upgrade to FortiOS version 7.4.0 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.10 or above
Please upgrade to FortiOS version 6.4.12 or above
Please upgrade to FortiOS version 6.2.13 or above
Please upgrade to FortiProxy version 7.2.3 or above
Please upgrade to FortiProxy version 7.0.9 or above
Please upgrade to FortiProxy version 2.0.12 or above
Please upgrade to FortiOS-6K7K version 7.0.10 or above
Please upgrade to FortiOS-6K7K version 6.4.12 or above
Please upgrade to FortiOS-6K7K version 6.2.13 or above

If you are unable to immediately apply patches to vulnerable devices, there are some mitigations for FortiOS devices below:

Disable HTTP/HTTPS administrative interface


Limit IP addresses that can reach the administrative interface:

config firewall address

edit “my_allowed_addresses”

set subnet <MY IP> <MY SUBNET>


Then create an Address Group:

config firewall addrgrp

edit “MGMT_IPs”

set member “my_allowed_addresses”


Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy

edit 1

set intf port1

set srcaddr “MGMT_IPs”

set dstaddr “all”

set action accept

set service HTTPS HTTP

set schedule “always”

set status enable


edit 2

set intf “any”

set srcaddr “all”

set dstaddr “all”

set action deny

set service HTTPS HTTP

set schedule “always”

set status enable


If using non-default ports, create an appropriate service object for GUI administrative access:

config firewall service custom


set tcp-portrange <admin-sport>



set tcp-portrange <admin-port>


Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.

When using an HA reserved management interface, the local in policy needs to be configured slightly differently – please see:



Stephen Jones, VP, Cybersecurity

View all Dataprise Defense Digests here.

Recent Tweets


Learn about the latest threats and vulnerabilities with our D3 alerts.

Subscribe to get real-time notifications when a new Dataprise Defense Digest is published.