CVE-2022-42475 Overview
A heap-based buffer overflow vulnerability (CWE-122) exists in the SSL-VPN component of FortiOS and FortiProxy. This memory corruption flaw allows remote unauthenticated attackers to execute arbitrary code or commands via specifically crafted requests to vulnerable FortiGate devices. The vulnerability affects multiple versions of FortiOS spanning from version 6.0.15 and earlier through 7.2.2, as well as FortiProxy versions up to 7.2.1.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Remote unauthenticated attackers can achieve complete system compromise by executing arbitrary code on affected FortiGate firewalls and FortiProxy devices, potentially gaining persistent access to enterprise network perimeters.
Affected Products
- Fortinet FortiOS 7.2.0 through 7.2.2
- Fortinet FortiOS 7.0.0 through 7.0.8
- Fortinet FortiOS 6.4.0 through 6.4.10
- Fortinet FortiOS 6.2.0 through 6.2.11
- Fortinet FortiOS 6.0.15 and earlier
- Fortinet FortiProxy 7.2.0 through 7.2.1
- Fortinet FortiProxy 7.0.7 and earlier
- Fortinet FortiGate 6300F, 6500F, 6501F, 6601F series
- Fortinet FortiGate 7030E, 7040E, 7060E, 7121F series
- Fortinet FIM-7901E, FIM-7904E, FIM-7910E, FIM-7920E, FIM-7921F, FIM-7941F
- Fortinet FPM-7620E, FPM-7620F, FPM-7630E
Discovery Timeline
- 2023-01-02 - CVE-2022-42475 published to NVD
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2022-42475
Vulnerability Analysis
This vulnerability is a heap-based buffer overflow (CWE-787) affecting the SSL-VPN functionality in FortiOS and FortiProxy products. The flaw occurs when the SSL-VPN daemon processes specially crafted HTTP requests, failing to properly validate the size of input data before copying it into a fixed-size heap buffer. This allows attackers to overflow the buffer and overwrite adjacent heap memory structures.
The vulnerability is particularly dangerous because it affects the SSL-VPN service, which is typically exposed to the internet to provide remote access functionality. As a pre-authentication vulnerability, attackers do not need valid credentials to exploit this flaw, significantly lowering the barrier for successful attacks.
Successful exploitation grants attackers the ability to execute arbitrary code with root privileges on the underlying operating system of the FortiGate or FortiProxy device. Given that these devices serve as network perimeter security appliances, compromise provides attackers with a strategic foothold for lateral movement into protected network segments.
Root Cause
The root cause of CVE-2022-42475 is improper bounds checking in the SSL-VPN request handling code. When processing incoming SSL-VPN connections, the affected code allocates a heap buffer of a predetermined size but fails to validate that user-supplied data fits within this allocation. The vulnerability is classified under CWE-197 (Numeric Truncation Error) and CWE-787 (Out-of-bounds Write), indicating that the flaw involves improper handling of size calculations that leads to writing data beyond the intended buffer boundaries.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTPS requests to the SSL-VPN service running on TCP port 443 (or the configured SSL-VPN port). The crafted request contains oversized data fields designed to trigger the buffer overflow condition.
The exploitation flow typically involves:
- Attacker identifies an internet-exposed FortiGate device with SSL-VPN enabled
- Malicious requests are sent to the SSL-VPN endpoint containing payload data exceeding expected buffer sizes
- The heap-based buffer overflow corrupts adjacent memory, allowing control of execution flow
- Attacker-supplied shellcode executes with root privileges on the device
Given the network-accessible nature of SSL-VPN services and the pre-authentication attack surface, this vulnerability presents an ideal target for opportunistic attackers and advanced persistent threat (APT) groups. For detailed technical information, refer to the FortiGuard Security Advisory.
Detection Methods for CVE-2022-42475
Indicators of Compromise
- Monitor for unexpected files in /data/lib/ directory on FortiGate devices, particularly suspicious shared libraries
- Check for unauthorized modifications to system binaries or configuration files
- Look for anomalous outbound connections from FortiGate devices to unknown external IP addresses
- Review SSL-VPN logs for unusual connection patterns or malformed request attempts
Detection Strategies
- Deploy network-based intrusion detection signatures for malformed SSL-VPN traffic patterns targeting FortiOS devices
- Implement continuous vulnerability scanning to identify unpatched FortiOS and FortiProxy instances in your environment
- Monitor FortiGate device integrity using file integrity monitoring solutions to detect unauthorized changes
- Correlate authentication logs with SSL-VPN access patterns to identify suspicious pre-authentication activity
Monitoring Recommendations
- Enable and centralize logging for all FortiGate SSL-VPN services to a SIEM platform for real-time analysis
- Configure alerts for crash events or unexpected service restarts on FortiGate devices that may indicate exploitation attempts
- Implement network traffic analysis to detect command-and-control communications from compromised appliances
- Regularly audit FortiGate devices for signs of persistence mechanisms or unauthorized administrative accounts
How to Mitigate CVE-2022-42475
Immediate Actions Required
- Immediately upgrade FortiOS to version 7.2.3 or later, 7.0.9 or later, 6.4.11 or later, 6.2.12 or later, or 6.0.16 or later
- Upgrade FortiProxy to version 7.2.2 or later or 7.0.8 or later
- If immediate patching is not possible, disable SSL-VPN functionality until patches can be applied
- Conduct forensic analysis on potentially compromised devices to identify signs of exploitation
Patch Information
Fortinet has released security patches addressing this vulnerability. Organizations should apply the appropriate firmware updates as documented in the FortiGuard Security Advisory FG-IR-22-398. Given the active exploitation status and CISA KEV listing, this vulnerability should be prioritized for immediate remediation.
The following patched versions are available:
- FortiOS: 7.2.3, 7.0.9, 6.4.11, 6.2.12, 6.0.16 and later releases
- FortiProxy: 7.2.2, 7.0.8 and later releases
Workarounds
- Disable SSL-VPN functionality if not required for business operations until patching can be completed
- Implement strict firewall rules to limit SSL-VPN access to known, trusted IP address ranges where feasible
- Enable multi-factor authentication and monitor for any bypass attempts on SSL-VPN connections
- Consider deploying a web application firewall (WAF) in front of SSL-VPN services to filter malicious requests
# Example: Verify FortiOS version via CLI
get system status
# Example: Disable SSL-VPN if not needed (FortiOS CLI)
config vpn ssl settings
set status disable
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
