THREAT INTELLIGENCE · 7 MIN
FortiOS SSL-VPN Zero-Day (CVE-2022-42475): What We Learned
Three years after CVE-2022-42475 hit FortiOS SSL-VPN, the playbook for handling vendor zero-days hasn't changed. Here's the IOC pattern, detection logic, and the operating model that catches the next one.
What was CVE-2022-42475 in FortiOS and how should organizations detect it today?
CVE-2022-42475 is a heap-based buffer overflow in the FortiOS SSL-VPN service that allowed unauthenticated remote code execution. It was exploited as a zero-day against government and enterprise targets in late 2022. Detection relies on three signals: specific application crash log entries, the presence of named artifact files on the appliance filesystem, and outbound connections to the IP/IOC list Fortinet published.
FortiOS SSL-VPN Zero-Day (CVE-2022-42475): What We Learned
CVE-2022-42475 was a heap-based buffer overflow in the FortiOS SSL-VPN service that allowed an unauthenticated attacker to execute arbitrary code by sending a specifically crafted request. Fortinet disclosed it on 12 December 2022 with a CVSS score of 9.3. By the time the advisory landed, the bug was already being weaponized against government and large-enterprise targets — a textbook zero-day.
Three years later, the patch has been out for longer than most SSL-VPN appliances stay in service. The vulnerability itself is closed. The lesson it taught is the one worth keeping.
What actually happened
According to Fortinet's post-mortem, the attackers were operationally sharp — the kind of capability the report described as "highly targeted" and consistent with a well-resourced threat actor. The exploitation flow was:
- Send a crafted HTTP request to the SSL-VPN service.
- Trigger the heap overflow, gain code execution as the SSL-VPN daemon.
- Drop a set of named files into the appliance filesystem to maintain persistence.
- Pivot inward — typical T1190 → internal recon → credential access.
The artifacts Fortinet published as IOCs were the gift to defenders:
/data/lib/libips.bak/data/lib/libgif.so/data/lib/libiptcp.so/data/lib/libipudp.so/data/lib/libjepg.so/var/.sslvpnconfigbk/data/etc/wxd.conf/flash
Combined with two log signatures — Logdesc="Application crashed" and msg="...application:sslvpnd...Signal 11 received..." — and a published threat-actor IP list, you had everything needed to build detection.
Why this CVE became a SOC training case
Most vendor zero-days arrive with a vague advisory and a "patch immediately" press release. CVE-2022-42475 was different. Fortinet published filesystem artifacts, log signatures, and infrastructure IOCs in the same advisory — a level of operational specificity that made detection tractable on day one.
That made it the cleanest training case our SOC analysts use to teach two skills:
- How to translate a CVE advisory into a hunt query in less than 90 minutes.
- How to chain three signal layers — appliance logs, filesystem state, network egress — into a single high-confidence detection.
The QMasters take: a CVE without IOCs is a press release. A CVE with IOCs is a sprint. The job of an MDR provider is to turn the second one into a 60-minute response across every customer environment, every time.
The detection logic, three years on
The specific CVE is patched, but the pattern is recurring. Every SSL-VPN, ZTNA gateway, edge firewall, and remote-access appliance is now treated as a perimeter risk class, not a trusted device. Our standing detection model for this class of asset:
Layer 1 — Process and crash anomalies
Watch for any non-standard daemon crash signature on the appliance, especially repeated Signal 11 (segfault) on internet-facing services. One crash is noise. Three within a 10-minute window on the same daemon is a hunt trigger.
Layer 2 — Filesystem drift
Compare appliance filesystem state against a known-good snapshot taken right after the last patched build. New files in /data/lib/, /data/etc/, or /var/ that were not part of the upgrade package are guilty until proven innocent.
Layer 3 — Egress to known-bad infrastructure
This is where threat intelligence turns the detection from probabilistic to certain. Our DailyIOC feed ingests vendor advisories, government CERT publications, and our own SOC observations into a 250K+ daily indicator stream that gets enforced at every customer's egress control point — usually within an hour of a vendor advisory landing.
For CVE-2022-42475 specifically, the published IPs 188[.]34.130.40 and 103[.]131.189.143 were in the feed before most customers had even read the advisory.
What this changed in our operating model
Two operational changes came directly out of the FortiOS response and have stayed:
1. Edge appliance log streaming is now non-negotiable. Every customer onboarded since 2023 streams their SSL-VPN, firewall, and edge ZTNA logs to the QMasters SIEM at 4 TB/day aggregate ingest across all customers. No log = no detection. We won't onboard a perimeter-exposed appliance without it.
2. Vendor advisory monitoring is structured, not ad-hoc. Fortinet, Cisco, F5, Citrix, Palo Alto, Check Point, Ivanti, Microsoft — every one of them gets watched for PSIRT releases by a named SOC shift. Critical advisories trigger a 60-minute response: pull the IOCs into DailyIOC, run a retroactive hunt across customer telemetry for the prior 30 days, push a customer notification with detection status.
Soft CTA
If you're wondering whether your current MDR provider would have caught this in the first 60 minutes, that's exactly the kind of question our StrongHold MCSS onboarding is built to answer.
What every CISO should take from this
Vendor zero-days against perimeter appliances are not edge cases anymore — they are a recurring threat pattern. The defenders who handled CVE-2022-42475 well shared three things:
- A SOC that treated the advisory as a 60-minute SLA, not a Monday-morning ticket
- A threat intelligence feed that pushed IOCs to enforcement controls automatically
- A retroactive hunt capability that let them check the previous 30 days of telemetry, not just the next 30
These are the same three things that catch the next one.
FAQ
Q: Is CVE-2022-42475 still being exploited?
A: Patched FortiOS versions removed the original primitive, but copy-cat techniques against SSL-VPN appliances continue. Any unpatched FortiGate still exposed to the internet remains a target — and the published IOCs are still useful for retro hunts.
Q: What CVSS score did CVE-2022-42475 receive?
A: 9.3 — critical. Fortinet's PSIRT advisory rated it critical due to unauthenticated remote code execution against an internet-facing service.
Q: How do you detect post-exploitation activity from this CVE?
A: Hunt for the IOC files Fortinet published in /data/lib/ and /data/etc/, the application:sslvpnd crash signature with Signal 11 in logs, and outbound connections to the threat-actor IP infrastructure listed in the advisory.
Q: What's the right way to run a vendor zero-day playbook?
A: A 60-minute response loop: ingest the advisory IOCs into your threat intelligence feed, run a retroactive 30-day hunt across customer telemetry, push enforcement to perimeter controls, and notify customers with patch status. Anything slower is a structural problem, not a process problem.
Talk to QMasters
If your team is responding to vendor zero-days reactively rather than running a structured 60-minute playbook, talk to a QMasters SOC analyst. We'll show you what our DailyIOC feed and StrongHold MCSS would have done with this CVE in the first hour.
Want the bigger picture? Visit QMasters, learn about our cyber threat intelligence, or take a look at endpoint security.
---
Author · QMasters SOC Team
Last updated · 2026-04-15
Reading time · 7 min
FAQ
Frequently asked questions.
Patched FortiOS versions removed the original primitive, but copy-cat techniques against SSL-VPN appliances continue. Any unpatched FortiGate exposed to the internet remains a target.
9.3 — critical. Fortinet's PSIRT advisory rated it critical due to unauthenticated remote code execution.
Hunt for the four IOC files Fortinet published (libips.bak, libgif.so, libiptcp.so, libipudp.so), the application:sslvpnd crash signature in logs, and outbound traffic to the published threat-actor IP infrastructure.
ABOUT THE AUTHOR
Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.