 
					
				
		
			Created on 
    
	
		
		
		12-12-2022
	
		
		09:08 PM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
  Edited on 
    
	
		
		
		05-28-2025
	
		
		11:00 PM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
 By  
				
		 Anthony_E
		
			Anthony_E
		
		
		
		
		
		
		
		
	
			 
		
Description
This article describes how a critical heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote, unauthenticated attacker to execute arbitrary code or commands with specifically crafted requests. See the FortiGuard page on the vulnerability for more details: https://www.fortiguard.com/psirt/FG-IR-22-398
Scope
FortiGate.
Solution
Fortinet recommends taking immediate action to mitigate this vulnerability (by disabling SSL VPN) before upgrading to the latest release, as documented in the advisory.
If a FortiGate is managed by a FortiManager, ensure that the FortiManager is upgraded to a compatible version before upgrading the FortiGate. For more information, see the FortiManager Compatibility Chart.
To search for the Crash Log indicators of compromise documented in the advisory, search the Event Logs either on the FortiGate or the FortiAnalyzer for multiple System level log events containing the following information:
Logdesc="Application crashed" and msg="[...] application: sslvpnd,[...], Signal 11 received, Backtrace: [...]“
Alternatively, execute the following command on the FortiGate CLI:
diagnose debug crashlog read
Search for multiple examples of the following:
xxxx: [ Date & Time ] <.....> firmware  [ Firmware version ]
xxxx: [ Date & Time ] <.....> application sslvpnd
xxxx: [ Date & Time ] <.....> *** signal 11 (Segmentation fault) received ***
Additionally, search for the presence of the IoC artifacts in the filesystem with the fnsysctl command:
fnsysctl ls -l /data/lib 
/data/lib/libips.bak 
/data/lib/libgif.so 
/data/lib/libiptcp.so 
/data/lib/libipudp.so 
/data/lib/libjepg.so 
fnsysctl ls -la /var 
/var/.sslvpnconfigbk 
fnsysctl ls -l /data/etc 
/data/etc/wxd.conf 
fnsysctl ls -l / 
/flash 
If these IoCs are detected, contact customer support for assistance.
Note:
The 'fnsysctl' command will only work when logged in as a super_admin (administrator accounts with super_admin permission profile).
Related article:
Technical Tip: Usage of 'fnsysctl' Command with Examples and Requirements
This was very useful. Thank you for your efforts.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.