CVE-2022-29055 Overview
CVE-2022-29055 is an access of uninitialized pointer vulnerability [CWE-824] in the SSL VPN daemon of Fortinet FortiOS and FortiProxy. A remote attacker can send a crafted HTTP GET request to crash the sslvpnd process. The flaw is reachable without authentication, so any network-accessible SSL VPN portal is exposed. Successful exploitation produces a denial of service that disrupts remote access for legitimate users.
Critical Impact
Unauthenticated network attackers can crash the FortiOS and FortiProxy SSL VPN daemon with a single HTTP GET request, disrupting remote access services.
Affected Products
- Fortinet FortiOS 7.2.0, 7.0.0 through 7.0.5, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, and 6.0.x
- Fortinet FortiProxy 7.0.0 through 7.0.4 and 2.0.0 through 2.0.9
- Fortinet FortiProxy 1.2.x
Discovery Timeline
- 2022-10-18 - CVE-2022-29055 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-29055
Vulnerability Analysis
The vulnerability resides in the SSL VPN daemon (sslvpnd) bundled with FortiOS and FortiProxy. The daemon dereferences a pointer that has not been initialized when processing certain HTTP GET requests against the SSL VPN web interface. The dereference operates on memory whose contents are indeterminate, leading to a process crash.
Because the SSL VPN portal is typically internet-facing, the attack surface extends to any reachable FortiGate or FortiProxy appliance with SSL VPN enabled. Exploitation requires no credentials, no user interaction, and only network access to the HTTPS listener. The impact is confined to availability: confidentiality and integrity are not affected, but remote workers and site-to-site VPN tunnels relying on the daemon lose connectivity until the service restarts.
Root Cause
The defect is classified under [CWE-824] (Access of Uninitialized Pointer). The sslvpnd request handler proceeds along a code path that reads from a pointer variable before it receives a valid assignment. When the attacker-controlled request triggers that path, the daemon dereferences indeterminate memory and aborts.
Attack Vector
An attacker sends a crafted HTTP GET request to the SSL VPN web portal exposed by FortiOS or FortiProxy. The request reaches the vulnerable handler before any authentication check, so unauthenticated exploitation is possible. Repeated requests can cause sustained denial of service against the SSL VPN service. Refer to the FortiGuard Security Advisory FG-IR-22-086 for vendor-confirmed technical details.
Detection Methods for CVE-2022-29055
Indicators of Compromise
- Unexpected restarts or crash entries for the sslvpnd process in FortiOS event logs
- SSL VPN session interruptions correlated with inbound HTTP GET requests from unauthenticated sources
- Repeated TCP resets or TLS handshake failures on the SSL VPN listener immediately following a GET request
Detection Strategies
- Monitor FortiOS crashlog output (diagnose debug crashlog read) for sslvpnd signal terminations
- Forward FortiGate event and traffic logs to a centralized analytics platform and alert on bursts of HTTP 4xx/5xx responses from the SSL VPN portal
- Inspect web application firewall or upstream IPS telemetry for malformed HTTP GET patterns targeting /remote/ SSL VPN endpoints
Monitoring Recommendations
- Baseline normal SSL VPN session counts and alert on sudden drops indicative of daemon crashes
- Enable FortiGate SNMP traps for process restart events and forward them to SIEM
- Correlate appliance availability metrics with source IP reputation feeds to identify scanning activity
How to Mitigate CVE-2022-29055
Immediate Actions Required
- Upgrade FortiOS and FortiProxy to fixed releases identified in FortiGuard advisory FG-IR-22-086
- Restrict SSL VPN portal exposure to known source ranges using local-in policies where business requirements allow
- Enable multi-factor authentication on SSL VPN user accounts to limit follow-on access if attackers pivot from availability impact
Patch Information
Fortinet addressed CVE-2022-29055 in updated FortiOS and FortiProxy builds. Administrators should upgrade FortiOS 7.0.x to 7.0.6 or later, FortiOS 6.4.x to 6.4.9 or later, FortiOS 6.2.x to 6.2.11 or later, and FortiProxy 7.0.x to 7.0.5 or later, and FortiProxy 2.0.x to 2.0.10 or later. Consult the FortiGuard Security Advisory for the authoritative fix matrix.
Workarounds
- Disable the SSL VPN service on affected appliances until patches are applied if remote access is not business-critical
- Apply firewall local-in policies that limit access to the SSL VPN portal to trusted IP ranges
- Front the SSL VPN portal with a reverse proxy or WAF capable of dropping malformed HTTP GET requests targeting /remote/ URIs
# Configuration example: restrict SSL VPN access with a local-in policy
config firewall address
edit "trusted-vpn-clients"
set subnet 203.0.113.0 255.255.255.0
next
end
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "trusted-vpn-clients"
set dstaddr "all"
set action accept
set service "HTTPS"
set schedule "always"
next
edit 2
set intf "wan1"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "HTTPS"
set schedule "always"
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

