Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specifically crafted requests.
FREQUENTLY ASKED
What is CVE-2022-42475 and why does it matter?
CVE-2022-42475 is a critical heap-based buffer overflow vulnerability in Fortinet FortiOS SSL-VPN. It matters because it allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. With a CVSS score of 9.3 and known exploitation by ransomware actors, it represents a severe risk to organizational infrastructure and data integrity.
Which versions of the product are affected?
The vulnerability affects FortiOS SSL-VPN versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier. It also impacts FortiProxy SSL-VPN versions 7.2.0 through 7.2.1, and 7.0.7 and earlier. Older legacy versions such as 5.0.0 through 5.6.0 are also listed as affected in historical records.
Whether a patch has been released?
Yes, Fortinet has released security patches to address this vulnerability. Users are urged to upgrade to FortiOS version 7.2.3 or higher, 7.0.9 or higher, 6.4.11 or higher, and 6.2.12 or higher. Detailed remediation instructions and the official patch information can be found at the FortiGuard PSIRT link: https://fortiguard.com/psirt/FG-IR-22-398.
What is the remediation deadline and what it means for compliance?
The remediation deadline is 2023-01-03. For federal agencies and organizations following CISA guidelines, this deadline is a mandatory requirement under BOD 22-01. Missing this deadline means the organization is in a state of non-compliance and remains exposed to a vulnerability that is actively being exploited by sophisticated threat actors and ransomware groups.
How to check if an instance/deployment is affected?
To check for impact, administrators should verify the current firmware version of their FortiOS or FortiProxy devices against the list of affected versions. Additionally, organizations should inspect system logs for unusual SSL-VPN requests and monitor for indicators of compromise (IoCs) provided by Fortinet, as this vulnerability has been observed in active, targeted attacks.
CVE-2022-42475 is a critical heap-based buffer overflow vulnerability identified within the Fortinet FortiOS SSL-VPN component. With a CVSS score of 9.3, this security flaw represents one of the most significant risks to enterprise perimeter security in recent years. The vulnerability allows an unauthenticated, remote attacker to achieve total system compromise by executing arbitrary code or commands through specially crafted requests. Given its high EPSS score of 0.93984 and documented use by ransomware groups, immediate action is required to meet the remediation deadline of 2023-01-03.
Understanding the technical underpinnings of CVE-2022-42475 requires an analysis of how FortiOS handles memory allocation and data processing within the SSL-VPN daemon. The vulnerability is characterized by a heap-based buffer overflow (CWE-122) and is further complicated by numeric truncation issues (CWE-197).
The Mechanism of the Heap Overflow
A heap-based buffer overflow occurs when a program writes more data to a buffer located on the heap than that buffer can hold. In the context of CVE-2022-42475, the SSL-VPN service fails to properly validate the size of incoming network requests. When a remote attacker sends a specifically crafted HTTP request, the service allocates a specific amount of memory on the heap. If the input data exceeds this allocation, the excess data spills over into adjacent memory blocks.
By carefully structuring the overflow, an attacker can overwrite critical control data, such as function pointers or return addresses. This allows the attacker to redirect the flow of execution to a payload of their choosing, resulting in unauthenticated Remote Code Execution (RCE). Because the SSL-VPN service often runs with high privileges to manage network traffic, the resulting "blast radius" is total, granting the attacker full control over the gateway device.
Numeric Truncation and Memory Corruption
The presence of CWE-197 (Numeric Truncation) suggests that the underlying cause of the buffer miscalculation may involve the casting of a larger integer type to a smaller one. For example, if a 64-bit integer representing the length of an incoming packet is truncated to a 32-bit or 16-bit integer before memory allocation, the application may allocate a buffer that is significantly smaller than the actual data payload. When the data is subsequently copied into this undersized buffer, the overflow is triggered. This type of logic error is common in complex C-based networking stacks where various data types are used to handle protocol headers.
Who Is Affected
This vulnerability impacts any organization utilizing Fortinet FortiOS or FortiProxy for SSL-VPN services. This includes a wide range of sectors, from government agencies to global financial institutions, who rely on these devices to secure remote access for their workforces.
CISA BOD 22-01 Compliance
Due to active exploitation in the wild, CISA added CVE-2022-42475 to the Known Exploited Vulnerabilities (KEV) catalog shortly after disclosure. Under Binding Operational Directive (BOD) 22-01, federal agencies and participating organizations were required to remediate this vulnerability by 2023-01-03. The "active" status in the Stakeholder-Specific Vulnerability Categorization (SSVC) and the high EPSS score highlight that this is not merely a theoretical risk, but a weaponized exploit being used in real-world campaigns, including those involving ransomware.
Official Remediation Steps
To mitigate the risk of exploitation, administrators must follow the official vendor instructions immediately.
Identify Vulnerable Assets: Audit all FortiGate and FortiProxy devices to determine if they are running affected firmware versions (7.2.0-7.2.2, 7.0.0-7.0.8, 6.4.0-6.4.10, 6.2.0-6.2.11, etc.).
Download Official Patches: Access the Fortinet Support portal and obtain the corrected firmware versions:
FortiOS 7.2.3 or later
FortiOS 7.0.9 or later
FortiOS 6.4.11 or later
FortiOS 6.2.12 or later
Perform Controlled Upgrades: Schedule a maintenance window to apply the updates. Ensure a full configuration backup is taken prior to the upgrade process.
Validate Implementation: Post-upgrade, verify that the SSL-VPN service is functioning correctly and that the firmware version matches the patched release.
Review System Logs: Check for historical evidence of compromise. Look for crashing of the sslvpnd process or unusual logs that may indicate past exploitation attempts.
Beyond patching, organizations should adopt a defense-in-depth posture to protect against similar memory corruption vulnerabilities in the future:
Implement Least Privilege for VPN Access: Ensure that SSL-VPN users only have access to the specific resources required for their roles, limiting the internal movement an attacker can make if the gateway is compromised.
Enable Multi-Factor Authentication (MFA): While MFA does not prevent the buffer overflow itself, it is a critical barrier against credential theft which often follows initial access via RCE.
Geographic and IP Filtering: Restrict access to the SSL-VPN portal to known IP ranges or specific geographic regions to reduce the exposed attack surface.
Network Segmentation: Isolate the VPN termination point from sensitive internal networks. If the SSL-VPN service is compromised, segmentation can prevent the attacker from traversing into the data center or core infrastructure.
Advanced Endpoint Detection and Response (EDR): Deploy EDR on internal systems to monitor for the lateral movement and command-and-control (C2) activity that typically occurs after a gateway device is breached.
Regular Log Auditing: Automate the collection and analysis of VPN logs. Look for patterns such as repeated connection attempts from single IPs or malformed requests that could indicate automated scanning for vulnerabilities.
Disable Unused Services: If SSL-VPN functionality is not required for your operational needs, disable the service entirely to eliminate the associated attack surface.