CVE-2022-42475

What is Fortinet FortiOS SSL-VPN?

Fortinet FortiOS is the operating system for FortiGate network security appliances. The SSL-VPN component (sslvpnd) provides secure remote access for enterprise employees, exposing a web portal on port 443 that is directly accessible from the internet. FortiGate SSL-VPN is one of the most widely deployed enterprise VPN solutions globally, protecting access to corporate networks for millions of remote workers. As an internet-facing component that handles authentication for all remote access, the SSL-VPN daemon is a primary target for threat actors seeking to gain initial network access or harvest credentials at scale.

Overview

CVE-2022-42475 is a critical heap-based buffer overflow vulnerability (CWE-197, CVSS 9.8) in the Fortinet FortiOS SSL-VPN daemon (sslvpnd) that allows an unauthenticated remote attacker to execute arbitrary code or commands via specially crafted SSL-VPN requests. This was exploited as a zero-day — Fortinet observed targeted exploitation before releasing the patch, with confirmed attacks against government organizations. Mandiant attributed exploitation to a suspected Chinese APT actor deploying custom malware specifically designed for FortiOS. ransomwareUse: true.

Affected Versions

Note: FortiOS 5.x, 6.0.x before 6.0.0, and other branches have separate fix guidance.

Technical Details

The vulnerability (CWE-197: Numeric Truncation Error, functionally a heap buffer overflow) exists in the SSL-VPN daemon's request processing code. The sslvpnd process handles HTTPS connections from VPN clients on port 443. When processing certain types of SSL-VPN requests, a numeric truncation error causes an incorrect size calculation for a heap buffer allocation, resulting in a heap-based buffer overflow when the actual data written exceeds the undersized allocation.

An unauthenticated attacker can send crafted HTTPS requests to the FortiGate's SSL-VPN interface that trigger this overflow. By corrupting heap memory in a controlled fashion, the attacker can redirect code execution within the sslvpnd process, achieving RCE with the service's privileges.

Mandiant's analysis of post-exploitation activity documented:

• Deployment of a custom implant ("BOLDMOVE") specifically written for FortiOS that modifies the operating system to maintain persistence across reboots and patches
• Log tampering to remove evidence of exploitation
• Lateral movement from the compromised FortiGate into the protected internal network

The use of a custom FortiOS implant indicates a sophisticated, well-resourced threat actor who had prepared persistence mechanisms specifically for this device class before the zero-day campaign.

Discovery

Fortinet identified the exploitation activity through threat intelligence and incident response, and privately notified select government customers before publishing the advisory. Mandiant was involved in incident response at affected organizations and published the technical analysis documenting the zero-day exploitation and custom malware.

Exploitation Context

CVE-2022-42475 was exploited in targeted attacks against government organizations globally. Mandiant assessed the threat actor as UNC3405, suspected to be affiliated with Chinese state intelligence services. Key characteristics:

• Zero-day exploitation: Used before the patch was available, indicating the threat actor had developed the exploit independently
• Custom FortiOS malware: "BOLDMOVE" is a Linux ELF binary compiled specifically for FortiOS, capable of persistence, tunneling, and log clearing — evidence of significant prior development investment
• Government targeting: Attacks were directed at government entities rather than mass exploitation, consistent with espionage objectives
• Persistence focus: Post-exploitation activity prioritized long-term access over immediate data theft

Beyond the nation-state targeted campaign, following public disclosure, ransomware operators and criminal groups incorporated the exploit for mass-exploitation operations against unpatched FortiGate deployments.

Remediation

1. Patch FortiOS immediately: Upgrade to the fixed FortiOS version for your branch per FG-IR-22-398. If SSL-VPN is enabled, this is an internet-facing zero-day — treat as urgent.
2. Check for exploitation indicators: Fortinet published specific indicators of compromise (IoCs) including file paths used by the BOLDMOVE implant. Verify the integrity of system files using Fortinet's recommended process.
3. Review SSL-VPN logs: Examine the sslvpnd process logs for unexpected connections, authentication anomalies, or requests with unusual patterns consistent with exploitation attempts.
4. Verify filesystem integrity: FortiOS has a built-in file system integrity checker. Run it post-patch to verify no unauthorized modifications were made during the exploitation window.
5. Rotate VPN credentials: If SSL-VPN was operational before patching, assume VPN user credentials may have been harvested. Force a credential rotation for all VPN users.
6. Disable SSL-VPN if not required: If SSL-VPN is not needed for your deployment, disable the interface entirely to eliminate the attack surface. Use IPsec VPN with stronger authentication as an alternative.