CVE-2023-47091 is a high-severity vulnerability affecting multiple versions of Stormshield Network Security (SNS) appliances, specifically versions 4.3.13 through 4.3.22 (prior to 4.3.23), 4.6.0 through 4.6.9 (prior to 4.6.10), and 4.7.0 through 4.7.1 (prior to 4.7.2). The vulnerability arises from a buffer overflow condition related to the handling of cookie thresholds during IPsec VPN connections. An attacker can exploit this flaw by sending crafted packets that overflow the cookie threshold, which disrupts the establishment of IPsec connections. This results in a denial of service (DoS) condition, rendering IPsec VPN tunnels inoperable. The vulnerability is classified under CWE-120 (Classic Buffer Overflow), indicating that improper bounds checking leads to memory corruption. According to the CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), the attack can be executed remotely over the network without any privileges or user interaction, and it solely impacts availability without compromising confidentiality or integrity. No known exploits are currently reported in the wild, but the ease of exploitation and the critical role of IPsec VPNs in secure communications make this a significant threat. The lack of patch links in the provided data suggests that users should verify with Stormshield for the availability of official updates or mitigations. Given that Stormshield is a European cybersecurity vendor with strong market presence in Europe, particularly in France and neighboring countries, this vulnerability has notable regional relevance.

The primary impact of CVE-2023-47091 is the disruption of IPsec VPN connectivity, which can severely affect the availability of secure network communications. For European organizations relying on Stormshield SNS appliances to secure remote access, site-to-site VPNs, or inter-office communications, this vulnerability could cause significant operational downtime. Critical sectors such as government, finance, healthcare, and critical infrastructure that depend on uninterrupted VPN services for secure data transmission may experience service outages, leading to potential loss of productivity and increased risk exposure. Although the vulnerability does not directly compromise data confidentiality or integrity, the denial of service can indirectly increase risk by forcing organizations to revert to less secure communication methods or exposing them to operational disruptions. The fact that exploitation requires no authentication or user interaction increases the risk of automated or opportunistic attacks, especially in environments where these devices are exposed to untrusted networks. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once details become public.

1. Immediate verification and application of vendor patches or firmware updates as soon as they become available from Stormshield is critical. Users should monitor official Stormshield advisories and support channels for release announcements related to versions 4.3.23, 4.6.10, and 4.7.2 or later. 2. In the absence of patches, implement network-level mitigations such as restricting IPsec VPN access to trusted IP addresses and networks using firewall rules to reduce exposure to untrusted sources. 3. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or anomaly detection capabilities tuned to identify abnormal IPsec cookie threshold behaviors or malformed packets that could trigger the overflow. 4. Regularly audit and monitor VPN connection logs and device health metrics to detect unusual connection failures or service disruptions indicative of exploitation attempts. 5. Consider deploying redundant VPN gateways or failover mechanisms to maintain availability in case one device is impacted. 6. Conduct internal security awareness and incident response exercises focused on VPN service disruptions to ensure rapid detection and recovery. 7. Engage with Stormshield support to confirm the vulnerability status of deployed devices and obtain guidance on interim mitigations or configuration changes that may reduce risk.