CVE-2022-42475
CVE-2022-42475 is a critical-severity vulnerability in Fortinet Fortios with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-12-13). The underlying weakness is classified as CWE-787.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-12-13)
- EU (EUVD) id: EUVD-2022-45545
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-12-13)
- Weakness: CWE-787
- Affected product: Fortinet Fortios
- Published:
- Last modified:
Description
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
CVE-2022-42475: FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2022-42475 |
| CVSS 3.1 | 9.8 Critical — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.99474 |
| KEV | Yes — added 2022-12-13 |
| CWE | CWE-787 (source also cites CWE-122) |
| Vendor | Fortinet |
| Source | FortiGuard PSIRT FG-IR-22-398, CISA KEV Catalog |
Summary
A heap-based buffer overflow vulnerability exists in the SSL-VPN component of FortiOS and FortiProxy. The flaw may allow a remote unauthenticated attacker to execute arbitrary code or commands by sending specifically crafted requests to the SSL-VPN endpoint.
Background
Fortinet FortiOS is the operating system powering FortiGate next-generation firewalls and other security appliances. The SSL-VPN feature provides remote-access connectivity for users and is frequently exposed to the internet. FortiProxy is a secure web gateway that also offers SSL-VPN capabilities. Because SSL-VPN endpoints are often internet-facing, vulnerabilities in this component are attractive to threat actors seeking initial access to enterprise networks.
Root Cause
The vulnerability is classified as CWE-787: Out-of-bounds Write (the source summary also references CWE-122: Heap-based Buffer Overflow). A heap-based buffer overflow occurs when an application writes data beyond the allocated heap buffer boundary. In the SSL-VPN context, this likely stems from insufficient input validation when processing client requests, allowing an attacker to corrupt adjacent memory structures and hijack control flow. The exact function or parser is not disclosed in the source data, but the attack vector is network-facing and does not require authentication.
Impact
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8 (Critical).
- Attack Vector (AV:N): Exploitable over the network without local access.
- Attack Complexity (AC:L): Low complexity indicates reliable exploitation is possible.
- Privileges Required (PR:N): No account or credentials are needed.
- User Interaction (UI:N): No victim action is required.
- Confidentiality, Integrity, Availability (C:H/I:H/A:H): Successful exploitation can result in complete system compromise, including data exfiltration, configuration tampering, and service disruption.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: This section describes the vulnerability mechanics from a defender's viewpoint only. No weaponized exploit code or step-by-step attack instructions are provided.
From a defensive standpoint, exploitation proceeds as follows:
- Reconnaissance: The attacker identifies an internet-facing FortiOS or FortiProxy SSL-VPN endpoint (commonly on TCP/443 or a dedicated SSL-VPN port).
- Crafted Request Delivery: The attacker sends a malformed request to the SSL-VPN service. The malformed input triggers the heap-based buffer overflow by writing beyond the bounds of an allocated buffer during request processing.
- Memory Corruption: The out-of-bounds write corrupts adjacent heap metadata or function pointers, potentially allowing the attacker to redirect execution to attacker-controlled code.
- Post-Exploitation: If successful, the attacker gains code execution in the context of the SSL-VPN process, which typically runs with elevated privileges on the appliance, leading to full network access.
Defenders should monitor SSL-VPN access logs for anomalous request patterns, unusually large or malformed payloads, and connections from unexpected geographies or anonymization services.
Affected and Patched Versions
Based on the source data:
- FortiOS SSL-VPN: 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, and 6.0.15 and earlier versions.
- FortiProxy SSL-VPN: 7.2.0 through 7.2.1, and 7.0.7 and earlier versions.
Specific patch release numbers are not provided in the source data. Administrators should consult the FortiGuard PSIRT advisory FG-IR-22-398 for the latest patched firmware releases.
Remediation
- Upgrade Firmware: Apply the latest patched firmware version from Fortinet as specified in FG-IR-22-398. Prioritize internet-facing appliances.
- Compensating Controls:
- If SSL-VPN is not required, disable the feature entirely until patching is complete.
- Restrict SSL-VPN access to trusted IP ranges using firewall policies or external edge controls.
- Implement network segmentation to limit lateral movement if an appliance is compromised.
- Ensure SSL-VPN authentication uses multi-factor authentication (MFA) to raise the bar for follow-on access, though this does not block the unauthenticated exploit itself.
- Verify Configuration: After patching, confirm the appliance is running the expected version and review SSL-VPN settings for unnecessary exposure.
Detection
- Network Monitoring: Inspect inbound SSL-VPN traffic for malformed payloads, oversized headers, or non-standard request structures that do not match legitimate client behavior.
- Log Analysis: Review FortiOS/FortiProxy event logs and SIEM alerts for SSL-VPN process crashes, memory errors, or repeated authentication failures from a single source.
- Endpoint & Appliance Integrity: Monitor for unexpected configuration changes, new administrator accounts, or unauthorized tunnel establishments after the SSL-VPN stage.
- Threat Intelligence: Correlate SSL-VPN source IPs with known malicious infrastructure and CISA KEV indicators.
Assessment
This vulnerability carries an EPSS score of 0.99474 and sits in the 99.94th percentile, indicating an extremely high probability of active exploitation. Its presence on the CISA Known Exploited Vulnerabilities (KEV) Catalog since 13 December 2022 confirms that threat actors have weaponized it in the wild. The combination of a 9.8 CVSS score, network reachability, no authentication requirement, and confirmed exploitation makes this a patching emergency.
Key lessons:
- Edge appliances are prime targets. Internet-facing VPN concentrators and firewalls should be at the top of any vulnerability management priority list.
- Telemetry beats obscurity. Organizations that log and monitor SSL-VPN sessions are better positioned to detect exploitation attempts even before patching.
References
Frequently asked questions
- What is CVE-2022-42475?
- A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
- How severe is CVE-2022-42475?
- CVE-2022-42475 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-42475 being actively exploited?
- Yes. CVE-2022-42475 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-12-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-42475?
- CVE-2022-42475 primarily affects Fortinet Fortios. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-42475?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-42475 have an EU (EUVD) identifier?
- Yes. CVE-2022-42475 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-45545. It is also flagged as exploited in the EUVD (since 2022-12-13).
- When was CVE-2022-42475 published?
- CVE-2022-42475 was published on 2023-01-02 and last updated on 2026-06-17.
References
- https://fortiguard.com/psirt/FG-IR-22-398
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42475
Affected products (2)
- cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
More vulnerabilities in Fortinet Fortios
- CVE-2005-3057 — Critical (CVSS 10.0): The FTP component in FortiGate 2.8 running FortiOS 2.8MR10 and v3beta, and other versions before 3.0 MR1, allows remote…
- CVE-2026-24858 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet…
- CVE-2025-59718 — Critical (CVSS 9.8): A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0…
- CVE-2025-22252 — Critical (CVSS 9.8): A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager…
- CVE-2023-25610 — Critical (CVSS 9.8): A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version…
- CVE-2024-55591 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0…
All CVEs affecting Fortinet Fortios →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…