{
	"id": "98e993fb-423f-4cda-a4bc-137c0f6ff1db",
	"created_at": "2026-04-06T00:18:13.470953Z",
	"updated_at": "2026-04-10T13:13:01.994947Z",
	"deleted_at": null,
	"sha1_hash": "7dc767c1bc510974648670c588f7f57bf98633b3",
	"title": "Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59543,
	"plain_text": "Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon\r\nCampaign | Fortinet Blog\r\nBy Carl Windsor\r\nPublished: 2023-06-12 · Archived: 2026-04-05 15:10:18 UTC\r\nAffected Platforms: FortiOS\r\nImpacted Users: Targeted at government, manufacturing, and critical infrastructure\r\nImpact: Data loss and OS and file corruption\r\nSeverity Level: Critical\r\nToday, Fortinet published a CVSS Critical PSIRT Advisory (FG-IR-23-097 / CVE-2023-27997) along with\r\nseveral other SSL-VPN related fixes. This blog adds context to that advisory, providing our customers with\r\nadditional details to help them make informed, risk-based decisions, and provides our perspective relative to\r\nrecent events involving malicious actor activity.\r\nThe following write-up details our initial investigation into the incident that led to the discovery of this\r\nvulnerability and additional IoCs identified during our ongoing analysis.\r\nIncident Analysis\r\nFollowing previous incident FG-IR-22-398 / CVE-2022-42475 published on January 11, 2023—where a heap-based buffer overflow in FortiOS SSL VPN with exploitation was observed in the wild—the Fortinet Product\r\nSecurity Incident Response Team (PSIRT) proactively initiated a code audit of the SSL-VPN module as part of\r\nour commitment to product security and integrity. This audit, together with a responsible disclosure from a third-party researcher, led to the identification of certain issues that have been remediated in the current firmware\r\nreleases.\r\nIncident ID  NVD CVE Product Severity Description\r\nFG-IR-23-\r\n097\r\nCVE-2023-\r\n27997\r\nFortiOS 9.2 (Critical)\r\nHeap buffer overflow in SSL-VPN pre-authentication\r\nFG-IR-23-\r\n111\r\nCVE-2023-\r\n29180\r\nFortiOS 7.3 (High) Null pointer de-reference in SSLVPNd\r\nhttps://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign\r\nPage 1 of 3\n\nFG-IR-22-\r\n475\r\nCVE-2023-\r\n22640\r\nFortiOS 7.1 (High) FortiOS - Out-of-bound-write in SSLVPNd\r\nFG-IR-23-\r\n119\r\nCVE-2023-\r\n29181\r\nFortiOS 8.3 (High) Format String Bug in Fclicense daemon\r\nFG-IR-23-\r\n125\r\nCVE-2023-\r\n29179\r\nFortiOS\r\n6.4\r\n(Medium)\r\nNull pointer de-reference in SSLVPNd proxy\r\nendpoint\r\nFG-IR-22-\r\n479\r\nCVE-2023-\r\n22641\r\nFortiOS\r\n4.1\r\n(Medium)\r\nOpen redirect in SSLVPNd\r\nOur investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and\r\nwe are working closely with customers to monitor the situation.\r\nFor this reason, if the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to\r\nupgrade to the most recent firmware release. If the customer is not operating SSL-VPN the risk of this issue is\r\nmitigated – however, Fortinet still recommends upgrading.\r\nClarifications on Volt Typhoon Campaign\r\nOur own research, conducted in collaboration with our customers, has identified that the Volt Typhoon campaign\r\nuses a variety of tactics, techniques, and procedures (TTPs) to gain access to networks, including a widely used\r\ntechnique known as “living off the land” to evade detection. The campaign appears to use vulnerabilities for\r\nwhich patches exist, primarily FG-IR-22-377 / CVE-2022-40684 for initial access, as Indicators of Compromise –\r\nadmin accounts name `fortinet-tech-support` and `fortigate-tech-support` were found in customer devices related\r\nto this campaign.\r\nAt this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign, however Fortinet expects all threat\r\nactors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in\r\nwidely used software and devices. For this reason, Fortinet urges immediate and ongoing mitigation through an\r\naggressive patching campaign.\r\nRecommended Actions\r\nIn addition to monitoring Security Advisories and the immediate patching of systems, Fortinet strongly\r\nrecommends the following:\r\nReview your systems for evidence of exploit of previous vulnerabilities e.g. FG-IR-22-377 / CVE-2022-\r\n40684\r\nhttps://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign\r\nPage 2 of 3\n\nMaintain good cyber hygiene and follow vendor patching recommendations\r\nFollow hardening recommendations, e.g., FortiOS 7.2.0 Hardening Guide\r\nMinimize the attack surface by disabling unused features and managing devices via an out-of-band method\r\nwherever possible\r\nAdditional Guidance\r\nAs a forward-looking security vendor, Fortinet’s Product Security Team is constantly seeking ways to engage,\r\ninform, and encourage our customers to institute mitigation best practices and to patch their systems.\r\nIf a customer should need additional guidance, they are advised to reach out to customer support.\r\nPlease contact Fortinet Security via the Submission Form if you have any other suggestions or feedback.\r\nFortinet continues to follow its PSIRT processes and best practices to best mitigate the situation.\r\nFor details of the Fortinet PSIRT Policy: https://www.fortiguard.com/psirt_policy.\r\nSource: https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign\r\nhttps://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign"
	],
	"report_names": [
		"analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign"
	],
	"threat_actors": [
		{
			"id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7",
			"created_at": "2023-06-23T02:04:34.793629Z",
			"updated_at": "2026-04-10T02:00:04.971054Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Bronze Silhouette",
				"Dev-0391",
				"Insidious Taurus",
				"Redfly",
				"Storm-0391",
				"UAT-5918",
				"UAT-7237",
				"UNC3236",
				"VOLTZITE",
				"Vanguard Panda"
			],
			"source_name": "ETDA:Volt Typhoon",
			"tools": [
				"FRP",
				"Fast Reverse Proxy",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a88747e2-ffed-45d8-b847-8464361b2254",
			"created_at": "2023-11-01T02:01:06.605663Z",
			"updated_at": "2026-04-10T02:00:05.289908Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"Volt Typhoon",
				"BRONZE SILHOUETTE",
				"Vanguard Panda",
				"DEV-0391",
				"UNC3236",
				"Voltzite",
				"Insidious Taurus"
			],
			"source_name": "MITRE:Volt Typhoon",
			"tools": [
				"netsh",
				"PsExec",
				"ipconfig",
				"Wevtutil",
				"VersaMem",
				"Tasklist",
				"Mimikatz",
				"Impacket",
				"Systeminfo",
				"netstat",
				"Nltest",
				"certutil",
				"FRP",
				"cmd"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b",
			"created_at": "2025-08-07T02:03:24.661509Z",
			"updated_at": "2026-04-10T02:00:03.644548Z",
			"deleted_at": null,
			"main_name": "BRONZE SILHOUETTE",
			"aliases": [
				"Dev-0391 ",
				"Insidious Taurus ",
				"UNC3236 ",
				"Vanguard Panda ",
				"Volt Typhoon ",
				"Voltzite "
			],
			"source_name": "Secureworks:BRONZE SILHOUETTE",
			"tools": [
				"Living-off-the-land binaries",
				"Web shells"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4ed2b20c-7523-4852-833b-cebee8029f55",
			"created_at": "2023-05-26T02:02:03.524749Z",
			"updated_at": "2026-04-10T02:00:03.366175Z",
			"deleted_at": null,
			"main_name": "Volt Typhoon",
			"aliases": [
				"BRONZE SILHOUETTE",
				"VANGUARD PANDA",
				"UNC3236",
				"Insidious Taurus",
				"VOLTZITE",
				"Dev-0391",
				"Storm-0391"
			],
			"source_name": "MISPGALAXY:Volt Typhoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434693,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7dc767c1bc510974648670c588f7f57bf98633b3.pdf",
		"text": "https://archive.orkl.eu/7dc767c1bc510974648670c588f7f57bf98633b3.txt",
		"img": "https://archive.orkl.eu/7dc767c1bc510974648670c588f7f57bf98633b3.jpg"
	}
}