Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.
On December 12, 2022, FortiGuard Labs published advisory FG-IR-22-398 regarding a critical (CVSSv3 9.3) βheap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN [which] may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.β
FortiGuard Labs has confirmed at least one instance of the vulnerability being exploited in the wild and included the current indicators of compromise (IOCs) for FortiOS administrators to utilize in reviewing the integrity of current vulnerable systems in their advisory.
Vulnerabilities of this nature, and on this type of system, have proven to be of high value to attackers. We strongly advise that organizations upgrade to an unaffected version of FortiOS on an emergency basis and follow FortiGuardβs advice to review existing systems for signs of compromise.
Organizations that are unable to patch are advised to disable SSL-VPN.
InsightVM and Nexpose customers can assess their exposure to CVE-2022-42475 on FortiOS via an authenticated scan with the December 12 content release.
December 13, 2022 9:30AM ET: Updated affected products, solutions, and workaround to match the updated vendor advisory.
December 14, 2022 10:15AM ET: Updated solutions to match updated vendor advisory.
December 16, 2022 11:15AM ET: Updated solutions to match updated vendor advisory.
December 22, 2022 10:33AM ET: Updated affected products and solutions to match the updated vendor advisory which now includes FortiProxy.