SECURITY ALERT: FortiOS SSL-VPN Vulnerability Exploited

December 13, 2022 | Posted in:

Security Bulletins & Alerts

Systems Engineering is aware of the following heap-based buffer security vulnerability in Fortinet operating systems, FortiOS: CVE-2022-42475 / FG-IR-22-398.

FortiGuard, the threat intelligence and research organization at Fortinet, has rated this vulnerability as a Critical Risk.  


A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. 


Multiple versions of FortiOS v. 5.0.0-7.2.2, and FortiOS-6K7K v. 6.0.0-7.0.7.

Course of Action

Systems Engineering recommends clients who have affected FortiGate systems be patched for these vulnerabilities.

For SE EventWatch and SE Essentials clients, we will be patching these security flaws over the coming weeks to address these critical vulnerabilities proactively.

If you are a current SE EventWatch client, we are consistently monitoring your network to detect, manage, and triage any potential indications of compromise from this, or any other security incidents.

For all other clients, if you would like assistance patching an affected Fortinet system, please reach out to our customer service team to have a ticket opened to receive this vital security update. 

Systems Engineering's Customer Service can be reached at customerservice@systemsengineering.com or 207.772.4199.