News Heading - 1

Fortinet Patches Critical RCE Flaw in Fortigate SSL VPN Firewall

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

Fortinet, a security solutions company released patches to address a critical vulnerability in its FortiProxy SSL VPN and FortiOS firmware products. Although, on a limited scale, the flaw is believed to have been exploited by unknown threat actors, targeting manufacturing, government organizations and critical infrastructure.

Tracked as (CVE-2023-27997/ FG-IR-23-097), the flaw is a ‘heap buffer overflow in SSL-VPN pre-authentication’’. It’s been tagged critical with a CVSS score of 9.2.

Discovered by Lexfo Security, this reachable pre-authentication affects every SSL VPN device and allows unauthorized remote code execution (RCE). Following a similar exploitation incident, While conducting a code audit of the SSL-VPN module, Fortinet too, identified this flaw and silently issued patches as a remedial measure.

On June 12, the company issued an advisory disclosing the vulnerability and the following day, it released a list of affected firmware products and solutions to mitigate the risk. The issued security patches were included in Fortinet’s FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

The company is known for issuing patches before officially disclosing the vulnerabilities. Popular for its VPN and firewall appliances, Fortinet’s devices have become a lucrative target for hackers and ransomware gangs. Thus, the company’s stealth release of security fixes gives its customers time to upgrade or deploy security solutions before they become victims to threat actors.

News Heading - 2

Data Breach: Nearly 9 Million Zacks Customer Data Exposed by Threat Actors

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer

A recent data breach post published by Have I Been Pwned, disclosed that nearly 9 Million Zacks customers’ personal information was publicly available on the popular Exposed hacking forum.

The information, which dates back to 2020, includes names, email and physical addresses, phone numbers, usernames and unsalted SHA-256 passwords. There was no disclosure of any user-linked bank or credit card details. With this, it can be said that the hackers were unable to obtain access to any financial information.

Although Zacks has not released an official statement about the incident, when notified by Have I Been Pwned, the company stated that ‘’on disclosure of the larger breach, Zacks advised that in addition to their original report “the unauthorized third parties also gained access to encrypted [sic] passwords of zacks.com customers, but only in the encrypted [sic] format”.

Earlier, in January 2023, Zacks had disclosed that the company had suffered a data breach attack in which nearly 820,000 customers personal information was at risk. The attack was said to occur between November 2021 and August 2022 and impacted customers of its Elite product. The customers who had signed up for the product between November 1999 to February 2005 were being notified about the incident.

In its notification, Zacks stated that it had already taken the necessary security measures to mitigate the threat and would not be offering any credit monitoring solution to affected customers. It went on to say that in their investigation they had not found that their users’ data was not being used inappropriately. However, it urged its customers to monitor their banking and other financial transactions to avoid any phishing and credential-stuffing attacks.

Founded in 1978, Zacks Investment Research is a US-based investment research company. The company provides independent stock-related data and analysis to professional investors.