cbcvebase.
CVE-2022-42475
published 2023-01-02

CVE-2022-42475: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-01-03
Exploited in the wild
EPSS
99.47%
99.9th percentile
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Affected

49 ranges· showing 25
VendorProductVersion rangeFixed in
fortinetfim-7901e
fortinetfim-7904e
fortinetfim-7910e
fortinetfim-7920e
fortinetfim-7921f
fortinetfim-7941f
fortinetfortigate-6300f
fortinetfortigate-6300f-dc
fortinetfortigate-6500f
fortinetfortigate-6500f-dc
fortinetfortigate-6501f
fortinetfortigate-6501f-dc
fortinetfortigate-6601f
fortinetfortigate-6601f-dc
fortinetfortigate-7030e
fortinetfortigate-7040e
fortinetfortigate-7060e
fortinetfortigate-7121f
fortinetfortios
fortinetfortios5.0.0 – 5.0.14
fortinetfortios5.2.0 – 5.2.15
fortinetfortios5.4.0 – 5.4.13
fortinetfortios5.6.0 – 5.6.14
fortinetfortios>= 6.0.0 < 6.0.166.0.16
fortinetfortios>= 6.0.0 < 6.0.156.0.15

Detection & IOCsextracted from sources · hover to see the quote

path/opt/phoenix/log/phoenix.logs
pathlanguage files folder (SSL-VPN) symbolic link to root filesystem
  • Look for symbolic links in the SSL-VPN language files folder pointing to the root filesystem — a post-exploitation persistence mechanism used after CVE-2022-42475 exploitation
  • Coathanger RAT persists through reboots and firmware upgrades by injecting a backup of itself into the process responsible for rebooting; even fully patched FortiGate devices may be infected if compromised before patching
  • Coathanger hides itself by intercepting system calls — look for anomalous syscall hooking or hidden processes on FortiGate appliances
  • Threat actors chained CVE-2022-42475 with CVE-2022-47966 (Zoho ManageEngine RCE) in the same intrusion; look for correlated exploitation of both vulnerabilities in network telemetry
  • Post-exploitation activity includes downloading additional malicious payloads onto compromised FortiGate devices; monitor for unexpected outbound connections from FortiGate appliances
  • CERT-FR confirmed a massive campaign using the symlink persistence technique going back to early 2023; scope incident response to cover this full timeframe on any SSL-VPN-enabled FortiGate
  • Fortinet telemetry-based notification emails with subject 'Notification of device compromise - FortiGate / FortiOS - ** Urgent action required **' indicate confirmed compromise; treat receipt of such emails as a high-priority incident trigger
  • ·The symlink persistence mechanism only affects devices with SSL-VPN enabled; devices without SSL-VPN enabled are not exposed to this specific post-exploitation technique
  • ·Patching alone is insufficient if the device was compromised before patching — the symlink and Coathanger RAT survive firmware upgrades and must be explicitly remediated
  • ·The original CVE-2022-42475 patch was silently released on November 28 without disclosure of active exploitation; organizations that patched promptly after the silent fix may still have been compromised during the zero-day window
  • ·Network segmentation was a key factor limiting damage in the Dutch MOD breach; absence of segmentation significantly increases blast radius of a successful CVE-2022-42475 exploitation

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.