Critical RCE Bug Opens Fortinet’s Secure Web Gateway to Takeover

Fortinet is warning users to patch a critical remote code execution (RCE) vulnerability in the FortiOS operating system, and in the FortiProxy secure Web gateway. 

An alert this week from FortiGuard Labs said a heap buffer underflow bug in the administrative interface could allow an unauthenticated, remote cyberattacker to execute code on a device running the platforms. The vulnerability could also allow a threat actor to perform a denial-of-service (DoS) attack on the GUI of devices running the vulnerable code, Fortinet added.

Fortinet has issued a security update for FortiOS and FortiProxy interfaces, and noted that no exploitation has been detected yet. 

“Fortinet is not aware of any instance where this vulnerability was exploited in the wild,” the alert explained. “We continuously review and test the security of our products, and this vulnerability was internally discovered within that frame.”

This is the latest bug to come to light in the popular security appliance vendor’s gear. Just late last month, Fortinet urged FortiNAC users to update their systems against a flaw that allowed unauthenticated attackers to write arbitrary system files.