CVE-2022-42475: Fortinet FortiOS — Heap Overflow RCE

Background

FortiOS is the operating system powering Fortinet’s FortiGate firewalls and VPN appliances. The SSL-VPN component is one of the most commonly deployed remote access solutions in enterprises globally, and by extension one of the most frequently targeted by nation-state actors and ransomware affiliates looking for initial access.

CVE-2022-42475 was patched by Fortinet on 12 December 2022, but the disclosure was notably cagey — Fortinet’s advisory hinted at exploitation before patching was confirmed, and Mandiant later published detailed analysis showing it had been exploited by a China-nexus threat actor as a zero-day. This follows a recurring pattern where Fortinet VPN vulnerabilities are exploited in the wild well before they’re publicly disclosed.

Technical Mechanism

The vulnerability is a heap-based buffer overflow in the SSL-VPN web management component. The flaw exists in how FortiOS processes certain SSL-VPN requests — specifically in the handling of HTTP request headers during the SSL-VPN authentication phase.

The SSL-VPN daemon (sslvpnd) uses a custom memory allocation scheme. By sending a specially crafted HTTP request with specific header values that exceed expected bounds, an attacker can trigger a heap overflow that corrupts adjacent memory. With careful heap feng shui, this can be turned into arbitrary code execution.

The exploit:

1. Send a crafted HTTP request to the SSL-VPN portal (typically /remote/login or similar)
2. The request contains headers designed to overflow a heap buffer in sslvpnd
3. Heap corruption is leveraged to overwrite function pointers or return addresses
4. Code execution is achieved under the context of sslvpnd (running as root on FortiOS)

No authentication is required. The attack is network-accessible from anyone who can reach the SSL-VPN portal — which, by design, is usually the entire internet.

Real-World Exploitation Evidence

Mandiant published an analysis in January 2023 identifying exploitation by UNC3886, a China-nexus espionage actor. Key findings:

• UNC3886 exploited this as a zero-day before any patch was available, deploying custom implants named BOLDMOVE (a Linux backdoor written in C) and THINCRUST (a Python backdoor)
• BOLDMOVE was specifically compiled for FortiOS and could read and manipulate FortiOS-specific files
• Targets included government and defence organisations in the US and Europe
• The actors used the compromised FortiGate devices as pivot points to access internal networks

Additionally, following public disclosure in December 2022, widespread exploitation by ransomware affiliates and other threat actors began, mirroring the pattern seen with other Fortinet SSL-VPN CVEs.

Impact Assessment

• Root code execution on the FortiGate device — the SSL-VPN daemon runs as root
• Persistent implant deployment — BOLDMOVE-style backdoors survive firmware updates and aren’t removed by standard remediation
• Traffic interception — with root access, attackers can intercept all traffic passing through the VPN
• Credential harvesting — VPN session tokens and user credentials accessible from memory
• Network pivot — the FortiGate sits between the internet and internal network; with root access, attackers have a perfect pivot point
• Lateral movement — from the FortiGate, actors pivoted to VMware infrastructure in the Mandiant-documented cases

Affected Versions

Remediation Steps

1. Update FortiOS to patched versions immediately
2. Check for indicators of compromise before patching — UNC3886 deployed persistent implants that survive patching:

   # Check for BOLDMOVE or unexpected files in FortiOS filesystem
   diagnose sys flash list

3. Review /var/log/ on the device for unexpected files or scripts
4. Check running processes for anything unusual:

   get system process-list

5. If you cannot patch immediately, disable SSL-VPN entirely or restrict to known IP ranges
6. After patching, re-image the device from known-good firmware if compromise is suspected — patching does not remove implants
7. Rotate all VPN credentials, certificates, and pre-shared keys
8. Review firewall rules for any unexpected changes made by attackers

Detection Guidance

FortiGate logs — look for unusual log entries in /var/log/log related to the SSL-VPN daemon crashing or restarting, which may indicate exploitation attempts.

File integrity — compare the FortiOS firmware checksum against known-good values from Fortinet’s download portal.

Network monitoring — watch for unexpected outbound connections from FortiGate device IPs, particularly to non-configured destinations.

Suricata signature:

alert tcp any any -> any 443 (msg:"Fortinet FortiOS CVE-2022-42475 SSL-VPN Heap Overflow Attempt"; flow:established,to_server; content:"POST"; http.method; http.uri; content:"/remote/"; classtype:attempted-admin; sid:2034005; rev:1;)

IOCs from UNC3886:

• BOLDMOVE: custom Linux ELF implant on FortiOS filesystem
• THINCRUST: Python script in unexpected directories
• Outbound connections from FortiGate to attacker-controlled infrastructure

Timeline