Threats / Fortinet / CVE-2022-42475
CVE-2022-42475
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Fortinet FortiOS vulnerability
Fortinet FortiOS SSL-VPN contains a heap-based buffer overflow allowing unauthenticated remote code execution. The vulnerability is actively exploited in ransomware campaigns.
Verdict
Today item, not a backlog item.
A critical remote code execution flaw in FortiOS SSL-VPN enables unauthenticated attackers to execute arbitrary commands. Active exploitation in ransomware operations and high EPSS score indicate immediate threat to exposed instances.
CISA KEV Yes · 2022-12-133Ransomware use Flagged3EPSS 0.99474 (verify live)4Exploit Weaponized · public PoC5
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
65 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-12-13), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.99474 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Fortinet, FortiOS. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-197 CWE-197.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
WeaknessCWE-197 · CWE-197
02
Who’s exploiting it?
— attribution turns risk into urgencyVolt Typhoon State-sponsored (PRC)
CISA, NSA and FBI's AA24-038A attributes pre-positioning on US critical-infrastructure IT networks to Volt Typhoon, naming the group's exploitation of public-facing appliance vulnerabilities including the Ivanti Connect Secure (CVE-2024-21887) and Fortinet FortiOS (CVE-2022-42475) CVEs.15
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft malicious SSL-VPN requests to trigger heap buffer overflow and gain code execution without authentication.
Business
Ransomware operators establish initial access to enterprise networks through internet-facing VPN appliances.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I execute arbitrary commands on the compromised FortiOS device to establish persistence and lateral movement.
Business
Attackers pivot from VPN infrastructure into internal networks to deploy encryption malware across critical systems.
3
Lateral reach — past segmentation narrative 3
Attacker
I exfiltrate sensitive data and encrypt business-critical systems to demand ransom payment.
Business
Organizations face operational shutdown, data breach costs, regulatory penalties, and extortion demands.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05