The BSI warns against active exploitation of a critical vulnerability in Fortinet SSL VPN. FortiOS' service, used on FortiGate firewalls, allows attackers to execute malicious code or commands.
According to the BSI, companies that use FortiGate firewalls should patch their devices as soon as possible. The vulnerability is determined by the manufacturer Common Vulnerability Scoring System (CVSS) v3.1 rated “critical” with an overall CVSS score of 9.3 out of 10. CVE-2022-42475 was assigned for the vulnerability. According to the Fortinet PSIRT - Product Security Incident Response Team - there is a heap-based buffer overflow vulnerability in the SSL VPN service.
FortiGate Firewalls: Active use of the vulnerability
Fortinet's PSIRT indicates that the following product versions are affected by the vulnerability:
- FortiOS-6K7K version 7.0.0 – 7.0.7
- FortiOS-6K7K version 6.4.0 – 6.4.9
- FortiOS-6K7K version 6.2.0 – 6.2.11
- FortiOS-6K7K version 6.0.0 – 6.0.14
- FortiOS version 7.2.0 – 7.2.2
- FortiOS version 7.0.0 – 7.0.8
- FortiOS version 6.4.0 – 6.4.10
- FortiOS version 6.2.0 – 6.2.11
Manufacturer Fortinet also announced that one case of a successful exploitation of the vulnerability had already been observed. Therefore, the immediate implementation of the patch measures is recommended. Fortinet provides the instructions for already suitable patches on its website.
- FortiOS version 7.2.3 or higher
- FortiOS version 7.0.9 or higher
- FortiOS version 6.4.11 or higher
- FortiOS version 6.2.12 or higher
- FortiOS-6K7K version 7.0.8 or higher
- FortiOS-6K7K version 6.4.10 or higher
- FortiOS-6K7K version 6.2.12 or higher
- FortiOS-6K7K version 6.0.15 or higher
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.