Cyber Resilience

CVE-2022-42475

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 02 January 2023

Published
02 January 2023
Modified
24 October 2025
KEV Added
13 December 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9401 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-42475 is a critical-severity Numeric Truncation Error (CWE-197) vulnerability in Fortinet Fortios. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A heap-based buffer overflow vulnerability exists in the SSL-VPN components of FortiOS versions 7.2.0-7.2.2, 7.0.0-7.0.8, 6.4.0-6.4.10, 6.2.0-6.2.11, and 6.0.15 and earlier, as well as FortiProxy versions 7.2.0-7.2.1 and 7.0.7 and earlier. The flaw, tracked as CWE-122, permits remote attackers to supply specially crafted requests that corrupt heap memory.

An unauthenticated attacker with network access can exploit the issue to execute arbitrary code or commands on the affected device. The vulnerability carries a CVSS 3.1 score of 9.8, reflecting that no user interaction or credentials are required and that the impact spans confidentiality, integrity, and availability.

Fortinet advisory FG-IR-22-398 recommends applying the vendor-supplied patches or upgrading to fixed releases. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score currently stands at 0.9401 with a peak of 0.9406, indicating sustained and substantial exploitation interest.

EU & UK References

Vulnerability details

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to…

more

execute arbitrary code or commands via specifically crafted requests.

CWE(s)
KEV Date Added
13 December 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortios
5.0.0 — 5.0.14 · 5.2.0 — 5.2.15 · 5.4.0 — 5.4.13
fortinet
fortiproxy
1.0.0 — 1.0.7 · 1.1.0 — 1.1.6 · 1.2.0 — 1.2.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that Fortinet released to eliminate the heap buffer overflow in SSL-VPN.

prevent

Mandates validation of all input to the SSL-VPN interface, blocking the malformed requests that trigger the CWE-122 overflow and code execution.

preventdetect

Enforces boundary protection and traffic filtering on the SSL-VPN portal, limiting unauthenticated remote access that the attack requires.

References