9.8
CVSSv3

CVE-2022-42475

CVSSv4: NA | CVSSv3: 9.8 | CVSSv2: NA | VMScore: 1000 | EPSS: 0.93167 | KEV: Exploitation Reported
Published: 02/01/2023 Updated: 21/11/2024

Vulnerability Summary

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 up to and including 7.2.2, 7.0.0 up to and including 7.0.8, 6.4.0 up to and including 6.4.10, 6.2.0 up to and including 6.2.11, 6.0.15 and previous versions and FortiProxy SSL-VPN 7.2.0 up to and including 7.2.1, 7.0.7 and previous versions may allow a remote unauthenticated malicious user to execute arbitrary code or commands via specifically crafted requests.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

fortinet fortios

fortinet fortiproxy

Vendor Advisories

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests   Exploitation status: Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating ...

Github Repositories

An exploit for CVE-2022-42475, a pre-authentication heap overflow in Fortinet networking products

CVE-2022-42475 Background This is the exploit for the blog post here: bishopfoxcom/blog/exploit-cve-2022-42475 Redacted Version This version of the exploit will not work without you, the hacker, supplying the necessary memory addresses for ROP gadgets, etc The work to determine these data is confidential and proprietary to Bishop Fox and I will not (cannot) publish it

POC code to exploit the Heap overflow in Fortinet's SSLVPN daemon

cve-2022-42475 POC code to exploit the Heap overflow in Fortinet's SSLVPN daemon Notes This is a quick and dirty POC that will probably not work anywhere unless you are extremely lucky It is version dependent and contains some hardcoded offsets which will most likely change from one system to another

FortiOS 管理界面中的堆内存下溢导致远程代码执行

CVE-2023-25610 FortiOS 管理界面中的堆内存下溢导致远程代码执行。 范围和限制 Fortinet 6x 基于 TLSv13,在其他 TLS 版本上可能存在差异 用法 python3 cve-2022-42475py rhost rport lhost 'command' python3 CVE-2023-25610py 192168101 8443 101011 'ls -la /' Listener EXP 使用

test for the ioc described for FG-IR-22-398

ioc-cve-2022-42475 a simple util that uses ssh to check for the ioc's noted in fortiguard it uses ssh and runs the commands described on fortinet forum build git clone the project this is developed on 1661 build using cargo: cargo build --release run after building it runs like any other commandline utility /ioc-cve-2022-4247

cve-2022-42475 POC code to exploit the Heap overflow in Fortinet's SSLVPN daemon Usage pip install pwntools To use this code, you can save it in a file, say exploitpy, and then run it with Python in the command line, passing in the required arguments Here's an example command to run the exploit python exploitpy <target_host> <target_port&g

POC FortiOS SSL-VPN buffer overflow vulnerability

Usage: python3 cve-2022-42475py rhost rport lhost 'command' Exemple: python3 cve-2022-42475py 192168101 8443 101011 'ls -la /' Disclaimer: This project is made for educational and ethical testing purposes only Usage of this tool for attacking targets without prior mutual consent is illegal Developers assume no liability and are not responsible for

CVE-2022-42475 飞塔RCE漏洞 POC

CVE-2022-42475-RCE-POC 漏洞名称 CVE-2022-42475 飞塔RCE漏洞 POC 漏洞成因 由于sslvpnd对用户输入的内容验证存在缺陷,未经身份验证的攻击者通过发送特制数据包触发缓冲区溢出,最终可实现在目标系统上执行任意代码。 受影响版本 20 <= FortiOS <= 722 00 <= FortiOS <= 708 40 &l

FortiOS buffer overflow vulnerability

FortiOS SSL-VPN buffer overflow vulnerability cve-2022-42475 nvdnistgov/vuln/detail/CVE-2022-42475 POC code to exploit the Heap overflow in Fortinet's SSLVPN daemon Notes This is a quick and dirty POC that will probably not work anywhere unless you are extremely lucky It is version dependent and contains some hardcoded offsets which will most likely change from

Fortigate SSL VPN buffer overflow exploit

Usage: python3 cve-2022-42475py rhost rport lhost 'command' Exemple: python3 cve-2022-42475py 192168101 8443 101011 'ls -la /' Disclaimer: This project is made for educational and ethical testing purposes only Usage of this tool for attacking targets without prior mutual consent is illegal Developers assume no liability and are not responsible for

Fortigate Log Digger

FortiDig FortiDig is a Python-based log analysis tool designed for parsing and analyzing Fortigate firewall logs It offers functionalities to perform hourly analysis, event type analysis, and intrusion checks based on predefined patterns associated with known CVEs Version 100 Features Hourly Analysis: Counts the number of log events per hour Event Analysis: Aggregates the

Recent Articles

Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
BleepingComputer • Sergiu Gatlan • 11 Apr 2025

Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks By Sergiu Gatlan April 11, 2025 12:08 PM 0 Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. Earlier this week, Fortinet began sending emails to customers warning that their FortiGate/FortiOS devices were compromised based on telemetry received from FortiGuard devices...

Fortinet warns of new critical FortiManager flaw used in zero-day attacks
BleepingComputer • Lawrence Abrams • 23 Oct 2024

Fortinet warns of new critical FortiManager flaw used in zero-day attacks By Lawrence Abrams October 23, 2024 11:05 AM 0 Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. The company privately warned FortiManager customers about the flaw starting October 13th in advanced notification emails se...

CISA says critical Fortinet RCE flaw now exploited in attacks
BleepingComputer • Sergiu Gatlan • 09 Oct 2024

CISA says critical Fortinet RCE flaw now exploited in attacks By Sergiu Gatlan October 9, 2024 06:07 PM 0 ​Today, CISA revealed that attackers actively exploit a critical FortiOS remote code execution (RCE) vulnerability in the wild. The flaw (CVE-2024-23113) is caused by the fgfmd daemon accepting an externally controlled format string as an argument, which can let unauthenticated threat actors execute commands or arbitrary code on unpatched devices in low-complexity attacks that don't requir...

NoName ransomware gang deploying RansomHub malware in recent attacks
BleepingComputer • Bill Toulas • 10 Sep 2024

NoName ransomware gang deploying RansomHub malware in recent attacks By Bill Toulas September 10, 2024 06:35 AM 0 The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate. The gang uses custom tools known as the Spacecolon malware family, and deploys them after gaining access to a network through brute-force methods as well as explo...

Exploit released for maximum severity Fortinet RCE bug, patch now
BleepingComputer • Sergiu Gatlan • 28 May 2024

Exploit released for maximum severity Fortinet RCE bug, patch now By Sergiu Gatlan May 28, 2024 12:16 PM 0 ​Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) solution, which was patched in February. Tracked as CVE-2024-23108, this security flaw is a command injection vulnerability discovered and reported by Horizon3 vulnerability expert Zach Hanley that enables remote command e...

Fortinet warns of critical RCE bug in endpoint management software
BleepingComputer • Sergiu Gatlan • 13 Mar 2024

Fortinet warns of critical RCE bug in endpoint management software By Sergiu Gatlan March 13, 2024 02:48 PM 0 Fortinet patched a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that can allow attackers to gain remote code execution (RCE) on vulnerable servers. FortiClient EMS enables admins to manage endpoints connected to an enterprise network, allowing them to deploy FortiClient software and assign security profiles on Windows devices. The security flaw (C...

Chinese Coathanger malware hung out to dry by Dutch defense department
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Attack happened in 2023 using a bespoke backdoor, confirming year-old suspicions

Dutch authorities are lifting the curtain on an attempted cyberattack last year at its Ministry of Defense (MoD), blaming Chinese state-sponsored attackers for the espionage-focused intrusion. Specialists from the Netherlands' Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) were called in to investigate an intrusion at an MOD network last year, uncovering a previously unseen malware they're calling Coathanger. The name, authorities said,...

China's FortiGate attacks more extensive than first thought
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Dutch intelligence says at least 20,000 firewalls pwned in just a few months

The Netherlands' cybersecurity agency (NCSC) says the previously reported attack on the country's Ministry of Defense (MoD) was far more extensive than previously thought. The NCSC first published details of a Chinese state-sponsored malware campaign in February, but has continued to investigate the case along with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD). The attackers were using stealthy malware the NCSC calls Coathanger aft...

India floats plan to make big tech pay for news, walks back government censorship
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources PLUS: Taiwan’s new supercomputer; China-linked cybercrims strike; Australian content clampdown; and more What keeps this FBI director up at night? China’s AI work, for one

Asia In Brief India's IT minister has signaled he is willing to revisit a proposal to use government fact checkers to decide what is fake news that should be removed from social media. In remarks made to Indian outlet The Economic Times, minister of state for electronics and IT Rajeev Chandrasekhar said the government's plan was to "crack down on enemies of India, state actors, those with vested interests, child sexual abuse, and religious incitement" – but not on general news or comment. Over...

Microsoft ain't the only one squashing exploited-in-the-wild bugs this month
The Register

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Plus there's a PoC for this unpatched Cisco bug

Patch Tuesday For its final Patch Tuesday of the year, Microsoft fixed one bug that's already been exploited in the wild – and another that's publicly known. That brings its total for December to 49 patched vulnerabilities, six of which are rated critical. The bug that's listed as exploited-in-the-wild is tracked as CVE-2022-44698. It's a Windows SmartScreen security feature bypass vulnerability, and it received a 5.4 CVSS rating. "An attacker can craft a malicious file that would evade Mark o...

Fortinet squashes hijack-my-VPN bug in FortiOS gear
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources And it's already being exploited in the wild, probably

Fortinet has patched a critical bug in its FortiOS and FortiProxy SSL-VPN that can be exploited to hijack the equipment. The remote code execution vulnerability, tracked as CVE-2023-27997, was spotted and disclosed by Lexfo security analysts Charles Fol and Dany Bach. Fortinet has warned the bug looks to have been exploited in the wild already. The security flaw lies within the SSL-VPN, so if you have that enabled, you are potentially vulnerable to attack. "This is reachable pre-authentication, ...

China's cyber intrusions took a sinister turn in 2024
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources From targeted espionage to pre-positioning - not that they are mutually exclusive

The Chinese government's intrusions into America's telecommunications and other critical infrastructure networks this year appears to signal a shift from cyberspying as usual to prepping for destructive attacks. The FBI and other US federal agencies rang in 2024 boasting about disrupting a Chinese botnet composed of "hundreds" of outdated routers intent on breaking into US critical infrastructure facilities. Spoiler alert: the botnet is back. This same government-backed crew also compromised at ...