Very High
CVE-2022-42475
CVE-2022-42475
Description
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Add Assessment
Technical Analysis
Heap-based buffer overflow in the sslvpnd component of Fortinet SSL VPNs. Fortinet disclosed publicly on December 12 with a note that it had been exploited in the wild, evidently after putting out a private warning to customers the week prior. Since then, there’s been community discussion about whether this was exploited as 0day or not, as the vendor evidently silently patched the vuln roughly two weeks before public disclosure (giving attackers plenty of time to reverse the patch before many customers were aware there was a problem).
Heap-based BOF probably isn’t quite as easily exploitable as, say, a stack-based cousin. Even if this wasn’t true 0day, my bets are on an advanced and/or state-sponsored threat actor being the culprit for initial exploitation. Not sure we’ll see mass exploitation right away, or even at all…unless of course someone figures out where the bug lives and develops a public exploit, in which case, the exploitability rating on this will ratchet up. The attacker value of compromising a Fortinet device is high enough to motivate folks.
CVSS V3 Severity and Metrics
General Information
Vendors
- fortinet
Products
- fortios,
- fortiproxy
Exploited in the Wild
References
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
A very nice and detailed analysis of a POC that exploits this vulnerability => A More Complete Exploit for Fortinet CVE-2022-42475
and another reference to a POC => Producing a POC for CVE-2022-42475 (Fortinet RCE)