"Fortinet Urges Customers to Fix Actively Exploited FortiOS SSL-VPN Bug"

Fortinet has patched an actively exploited FortiOS SSL-VPN flaw, which could allow a remote, unauthenticated attacker to execute arbitrary code on devices. Fortinet strongly advises customers to update their installations in order to address the FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475. According to Fortinet, the vulnerability is a heap-based buffer overflow issue in FortiOS sslvpnd. A heap overflow is a type of buffer overflow that occurs when a chunk of memory is allocated to the heap and data is written to it without any bound checking. This can result in the overwriting of critical heap data structures such as heap headers or any heap-based data such as dynamic object pointers, which can then result in the overwriting of the virtual function table. The vulnerability impacts FortiOS version 7.2.0 through 7.2.2, FortiOS version 7.0.0 through 7.0.8, and more. A remote attacker can also use the flaw to execute commands through specially crafted requests. This article continues to disucss the actively exploited FortiOS SSL-VPN bug.

Security Affairs reports "Fortinet Urges Customers to Fix Actively Exploited FortiOS SSL-VPN Bug"