cbcvebase.
CVE-2015-2281
published 2015-03-19

CVE-2015-2281: Stack-based buffer overflow in collectoragent.exe in Fortinet Single Sign On (FSSO) before build 164 allows remote attackers to execute arbitrary code via a…

PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
10.33%
95.1th percentile
Stack-based buffer overflow in collectoragent.exe in Fortinet Single Sign On (FSSO) before build 164 allows remote attackers to execute arbitrary code via a large PROCESS_HELLO message to the Message Dispatcher on TCP port 8000.

Affected

1 ranges
VendorProductVersion rangeFixed in
fortinetsingle_sign_on

Detection & IOCsextracted from sources · hover to see the quote

portTCP/8000
processcollectoragent.exe
commandstruct.pack(">I", 0x000fffff) + "\x80\x01\x42\x42" + "A"*248 + "B"*(0xfffff - 248)
bytes
\x80\x01\x42\x42
  • Detect oversized TCP connections to port 8000 targeting collectoragent.exe (FSSO Message Dispatcher); payloads beginning with magic bytes \x80\x01\x42\x42 followed by large buffers (approaching 0xfffff bytes) are indicative of PROCESS_HELLO exploitation attempts.
  • The exploit is pre-authentication; any unauthenticated large TCP payload to port 8000 on FSSO hosts should be treated as suspicious.
  • Monitor for crash or unexpected termination of collectoragent.exe, which is the direct impact of a successful or attempted exploit.
  • ·Only FSSO builds prior to build 164 are vulnerable; build 164 and later are patched. Verify installed build number before deploying detections to avoid false positives on patched systems.
  • ·Confirmed vulnerable versions include 4.3.0161, 4.3.0151, and 4.3.0129; other versions were not tested but may also be affected.
  • ·Because FSSO runs under a Windows Domain Admin or eDirectory Admin account, successful exploitation grants domain-level privileges across the entire network.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.