โ† Back to Cyber Intelligence News
Live Threat Intelligence API โ€” Query this CVE and all KEV alerts in real-time
cyber.mcp.brunosan.de
Cyber Threat Intelligence VULNERABILITY ๐Ÿ”ด 3ร—KEV

CVE-2022-42475 in Fortinet FortiOS SSL-VPN: Actively Exploited RCE Demands Immediate Patching

๐Ÿ“… March 23, 2026 ๐Ÿ”ด Exploit Risk: 0.576 ๐Ÿ“Š Intelligence Score: 98/100 ๐Ÿ“ฐ 8 sources synthesized
TL;DR โ€” Read this first
Intelligence Metadata
First Reported Bycisa.gov
Outbreak Velocity0 minutes spread to 2 unique domains
ConsensusNot available
CVSS Score9.8
EPSS Score0.93984 (93.98th percentile)
CISA KEV StatusConfirmed
Exploit Risk Score0.5759
Race LabelPERSISTENT THREAT

Technical Analysis

CVE-2022-42475 is a heap-based buffer overflow vulnerability within the FortiOS SSL-VPN daemon (`sslvpnd`). The vulnerability can be triggered by an unauthenticated, remote attacker sending a specifically crafted request to a vulnerable SSL-VPN interface. Successful exploitation overwrites adjacent memory on the heap, which can be leveraged to achieve arbitrary code execution or cause a denial-of-service condition by crashing the `sslvpnd` process.

The attack vector requires no user interaction and targets a common, publicly-exposed network security appliance, making it an ideal ingress point for threat actors. The exploit provides remote code execution with root privileges on the affected FortiGate device, granting the attacker a powerful foothold within the network perimeter from which to conduct lateral movement and further attacks.

Affected Systems

Vendor: Fortinet
Affected Versions:
  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS version 6.0 all versions
  • FortiProxy version 7.2.0 through 7.2.1
  • FortiProxy version 7.0.0 through 7.0.7
Exposure: Publicly facing SSL-VPN interfaces. The vulnerability is pre-authentication.
Blast Radius: High. This vulnerability affects a widely deployed enterprise firewall and VPN solution. A successful exploit provides a direct, unauthenticated ingress point into a protected network, potentially exposing the entire internal infrastructure.

Intelligence Context

The combination of a CISA KEV catalog entry and a 93.98% EPSS score establishes CVE-2022-42475 as a proven and persistent threat, not a theoretical one. The 'PERSISTENT THREAT' race label, based on its KEV addition date of December 13, 2022, indicates that threat actors continue to actively scan for and exploit unpatched systems. This is a classic 'patch or perish' scenario for any organization exposing FortiOS SSL-VPN to the internet. The high impact (unauthenticated RCE) on a perimeter device makes this a top-tier priority for remediation, as it serves as a common entry point for ransomware operations and advanced persistent threats.

Remediation & Defense

Patch immediately. This is the highest priority for vulnerability management teams. For any unpatched, internet-facing systems, assume potential compromise and initiate incident response procedures, including hunting for signs of post-exploitation activity.
Patch Status: Available
Patch Version: Upgrade to FortiOS 7.2.3, 7.0.9, 6.4.11, 6.2.12 or above. Upgrade to FortiProxy 7.2.2, 7.0.8 or above.
Workarounds:
  • If patching is not immediately possible, disable the SSL-VPN service on all internet-facing interfaces. This is the only effective mitigation short of patching.
  • Implement strict access control lists (ACLs) to limit SSL-VPN access to trusted IP address ranges only, though this does not eliminate the risk.
Detection Hints:
  • Monitor for crash events and core dumps related to the `sslvpnd` process on FortiGate devices.
  • Analyze firewall logs for anomalous connection attempts to the SSL-VPN port from untrusted or unexpected sources.
  • Utilize vendor-provided IPS signatures designed to detect exploitation attempts for CVE-2022-42475.

Source Timeline

CVE-2022-42475 fortinet fortios rce kev sslvpn persistent-threat