CVE-2022-42475

CRITICAL KEV RANSOMWARE NUCLEI

FortiOS 5.0.0-5.0.13 and FortiProxy 1.0.0-1.0.6 - Heap-Based Buffer Overflow via SSL-VPN Requests

Title source: llm

Exploitation Summary

CVE-2022-42475 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 13, 2022, with confirmed use in ransomware campaigns. EIP tracks 10 public exploits from researchers including scrt, 0xhaggis, P4x1s. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits a heap overflow in Fortinet's SSLVPN daemon (CVE-2022-42475) to achieve remote code execution via a crafted ROP chain. It sends a malicious HTTP POST request with a large payload to trigger the vulnerability and execute a reverse shell.

Description

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Exploits (10)

nomisec WORKING POC 105 stars

by scrt · dos

https://github.com/scrt/cve-2022-42475

View Code ZIP pw:eip

This PoC exploits a heap overflow in Fortinet's SSLVPN daemon (CVE-2022-42475) to achieve remote code execution via a crafted ROP chain. It sends a malicious HTTP POST request with a large payload to trigger the vulnerability and execute a reverse shell.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Fortinet SSLVPN daemon

No auth needed

Prerequisites: Network access to the target SSLVPN service · Python environment with `pwntools` and `requests` libraries

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 36 stars

by 0xhaggis · remote

https://github.com/0xhaggis/CVE-2022-42475

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-42475, a heap-based buffer overflow in Fortinet SSL-VPN. It leverages ROP chains and a connect-back shellcode to achieve remote code execution on vulnerable FortiGate devices.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Fortinet FortiGate SSL-VPN (versions affected by CVE-2022-42475)

No auth needed

Prerequisites: Network access to the SSL-VPN interface · Vulnerable FortiGate firmware version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 8 stars

by P4x1s · poc

https://github.com/P4x1s/CVE-2022-42475-RCE-POC

View Code ZIP pw:eip

This PoC exploits CVE-2022-42475, a buffer overflow vulnerability in Fortinet SSL VPN (sslvpnd), to achieve remote code execution (RCE) via a crafted payload sent over SSL. The exploit constructs a ROP chain to execute a reverse shell using Python.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: FortiOS (2.0 <= FortiOS <= 7.2.2, 0.0 <= FortiOS <= 7.0.8, etc.)

No auth needed

Prerequisites: Network access to the target's SSL VPN service · Python environment with required libraries (pwntools, requests)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 7 stars

by Amir-hy · remote

https://github.com/Amir-hy/cve-2022-42475

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2022-42475, a heap overflow vulnerability in Fortinet's SSL-VPN daemon. It constructs a ROP chain to achieve remote code execution by sending a maliciously crafted POST request to the target.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: FortiOS SSL-VPN daemon

No auth needed

Prerequisites: Network access to the target's SSL-VPN interface · Python environment with required libraries (e.g., pwntools)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 1 stars

by bryanster · poc

https://github.com/bryanster/ioc-cve-2022-42475

View Code ZIP pw:eip

This repository provides a Rust-based utility to scan Fortinet FortiGate devices for indicators of compromise (IOCs) related to CVE-2022-42475. It uses SSH to execute diagnostic commands and checks for specific files, strings, and IPs associated with the vulnerability.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Fortinet FortiGate (versions affected by CVE-2022-42475)

Auth required

Prerequisites: SSH access to the target FortiGate device · Valid SSH credentials

MITRE ATT&CK

T1087 - Account Discovery T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Mustafa1986 · remote

https://github.com/Mustafa1986/cve-2022-42475-Fortinet

View Code ZIP pw:eip

This PoC exploits a heap overflow in Fortinet's SSLVPN daemon (CVE-2022-42475) to achieve remote code execution via a crafted ROP chain and reverse shell payload. It leverages hardcoded gadgets and a Python-based reverse shell to execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Fortinet SSLVPN daemon

No auth needed

Prerequisites: Network access to vulnerable Fortinet SSLVPN service · Listener set up on attacker's machine for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC

by dyeat · pythonpoc

https://github.com/dyeat/cve-reproduction/tree/main/Fortinet/FortiOS/CVE-2022-42475

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-42475, a heap-based buffer overflow in Fortinet FortiOS SSL-VPN service. The exploit leverages ROP chains and a reverse shell payload to achieve pre-authentication remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Fortinet FortiOS SSL-VPN service

No auth needed

Prerequisites: Target IP and port · Reverse shell listener address

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 22, 2026 Full analysis →

nomisec WORKING POC

by ArthurHendrich · remote

https://github.com/ArthurHendrich/CVE-2022-42475-POC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-42475, a heap-based buffer overflow vulnerability in Fortinet SSL VPN. The exploit leverages an integer overflow in the Content-Length header to achieve remote code execution (RCE) via a crafted HTTP request with a ROP chain and shellcode.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Fortinet SSL VPN (FortiOS)

No auth needed

Prerequisites: Network access to the vulnerable SSL VPN interface · Knowledge of target hardware/software version for ROP chain compatibility

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 28, 2026 Full analysis →

nomisec WORKING POC

by natceil · remote

https://github.com/natceil/cve-2022-42475

View Code ZIP pw:eip

This PoC exploits CVE-2022-42475, a buffer overflow vulnerability in Fortinet FortiOS SSL-VPN, to achieve remote code execution (RCE) via a crafted HTTP POST request. The exploit constructs a ROP chain to execute a reverse shell payload.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Fortinet FortiOS SSL-VPN

No auth needed

Prerequisites: Network access to the target SSL-VPN service · Python environment with required libraries (pwntools, requests)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/AiK1d/CVE-2022-42475-RCE-POC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-42475, a buffer overflow vulnerability in Fortinet SSL VPN (sslvpnd) that allows unauthenticated remote code execution. The exploit constructs a ROP chain to execute a reverse shell payload via a crafted HTTP POST request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: FortiOS (sslvpnd)

No auth needed

Prerequisites: Network access to the target SSL VPN service · Known target host and port · Reverse shell listener setup

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Fortinet SSL-VPN - Heap-Based Buffer Overflow

CRITICALby 0xhaggis,pszyszkowski,pussycat0x

Shodan: cpe:"cpe:2.3:o:fortinet:fortios" || http.html:"/remote/login" "xxxxxxxx" || http.favicon.hash:"945408572"

FOFA: body="/remote/login" "xxxxxxxx" || icon_hash="945408572"

References (2)

Core 2

Core References

Exploit, Mitigation, Vendor Advisory

https://fortiguard.com/psirt/FG-IR-22-398

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-42475

Scores

CVSS v3 9.8

EPSS 0.9392

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-12-13

VulnCheck KEV 2022-12-12

InTheWild.io 2022-12-12

ENISA EUVD EUVD-2022-45545

Ransomware Use Confirmed

CWE

CWE-197 CWE-787

Status published

Products (2)

fortinet/fortios 5.0.0 - 5.0.14

fortinet/fortiproxy 1.0.0 - 1.0.7

Published Jan 02, 2023

KEV Added Dec 13, 2022

Tracked Since Feb 18, 2026