What is this vulnerability all about?

Fortinet informed in the latest PSIRT Advisory about a critical pre-auth vulnerability in the sslvpnd of FortiOS module allowing an anonymous attacker to execute arbitrary code.

CVE-2022-42475 is a critical vulnerability in the sslvpn module.


This heap-based buffer overflow vulnerability is tracked as CVE-2022-42475 and received a CVSSv3 score of 9.3 out of 10. This vulnerability could allow anonymous attackers to execure arbitrary code, execute commands or crash the device by sending specificly crafted network packages. Fortinet also informed that this vulerability is actively exploitet in the wild.

Affected OS

FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14


Disable SSL VPN


Upgrade to the fixed OS versions according to the Fortinet PSIRT Advisory.

How to detect an attack

Fortinet already shared a few indicators of compromise about the known attacks in the PSIRT Advisory:

Exploiting the vulnerability will generate the following entries in the logs:

Logdesc=“Application crashed“ and msg=“[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]“

After exploitation, the following artifact might be present on the file system:

Known attack sources:, 30081, 30443, 20443, 444

Another indicator of compromise is crashes of the sslvpnd. Please be alert if you receive multiple entries when checking for crashes using the following command:

# diag deb crashlog read | grep sslvpnd

Additionally, when you want to check the mentioned files in the filesystem you can use the following command:

# fnsysctl ls /data/lib

Please contact Sidarion in case of questions, if you need further support or think your systems might have been compromised.