Security Advisory 2023-047

Release Date:

RCE Vulnerability in FortiOS and FortiProxy



  • 13/07/2023 --- v1.0 -- Initial publication


On July 11, 2023, Fortinet released an advisory regarding a critical vulnerability in FortiOS & FortiProxy that may allow remote attackers to execute arbitrary code or command via crafted packets [1]. This vulnerability was identified as CVE-2023-33308 with CVSS score of 9.8.

Due to the level of access and control on the network, we recommend to update as soon as possible.

Technical Details

This vulnerability is the result of a stack-based overflow vulnerability in FortiOS & FortiProxy. A remote attacker can send crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection to execute arbitrary code or command.

Affected Products

  • FortiOS version 7.2.0 through 7.2.3
  • FortiOS version 7.0.0 through 7.0.10
  • FortiProxy version 7.2.0 through 7.2.2
  • FortiProxy version 7.0.0 through 7.0.9


CERT-EU strongly recommends upgrading affected FortiOS & FortiProxy products to the latest version.


It is possible to disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode [1,2].




We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.