Wiz
Vulnerability DatabaseCVE-2022-27491

CVE-2022-27491
FortiOS vulnerability analysis and mitigation

Overview

An improper verification of source of a communication channel vulnerability [CWE-940] in FortiOS was discovered and disclosed on September 6, 2022. The vulnerability affects multiple versions of FortiOS including versions 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, and 6.0 all versions. This medium severity vulnerability (CVSS v3.1 score: 6.6) allows a remote and unauthenticated attacker to trigger the sending of 'blocked page' HTML data to an arbitrary victim via crafted TCP requests, potentially causing a denial of service condition (Fortinet Advisory, NVD).

Technical details

The vulnerability is exploitable when a FortiOS firewall policy has inspection mode set to flow-based (default configuration) AND at least one Security Profile is enabled (Web Filter, AntiVirus, IPS, DLP, Application Control, SSL, or File filter). The attack leverages TCP middlebox reflection to trigger the sending of blocked page HTML data to arbitrary victims. The CVSS v3.1 base score is 6.6 (Medium) according to Fortinet's assessment, while NVD rates it at 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Fortinet Advisory, NVD).

Impact

The successful exploitation of this vulnerability can result in a denial of service condition where the attacker can flood arbitrary victims with blocked page HTML data. This attack can potentially disrupt service availability for targeted systems by overwhelming them with reflected traffic (Fortinet Advisory).

Mitigation and workarounds

Fortinet has provided multiple mitigation options: 1) Upgrade to FortiOS version 6.2.11 or above, 6.4.9 or above, 7.0.6 or above, or 7.2.1 or above; 2) Alternatively, upgrade the IPS engine to specific versions (4.086 or above for 6.0.x, 5.259 or above for 6.2.x, 6.122 or above for 6.4.x, 7.114 or above for 7.0.x, and 7.215 or above for 7.2.0); 3) As workarounds, administrators can disable or adjust security profiles that trigger blocked page HTTP data, use proxy-based inspection mode instead of flow-based mode, or empty the replacement page in Security Profiles to limit amplification (Fortinet Advisory).

Additional resources

SourceThis report was generated using AI

Related FortiOS vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-58413HIGH7.5
  • FortiOSFortiOS
  • cpe:2.3:o:fortinet:fortios
NoYesNov 18, 2025
CVE-2025-53843HIGH7.5
  • FortiOSFortiOS
  • cpe:2.3:o:fortinet:fortios
NoYesNov 18, 2025
CVE-2025-58325MEDIUM6.7
  • FortiOSFortiOS
  • cpe:2.3:o:fortinet:fortios
NoYesOct 14, 2025
CVE-2025-54821MEDIUM6
  • FortiOSFortiOS
  • cpe:2.3:o:fortinet:fortios
NoYesNov 18, 2025
CVE-2025-58903MEDIUM4.9
  • FortiOSFortiOS
  • cpe:2.3:o:fortinet:fortios
NoYesOct 14, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo