Fortinet: Government networks targeted with now-patched SSL-VPN zero-day

Fortinet says unknown attackers exploited a FortiOS SSL-VPN zero-day vulnerability patched last month in attacks against government organizations and government-related targets.

The security flaw (CVE-2022-42475) abused in these incidents is a heap-based buffer overflow weakness found in the FortiOS SSLVPNd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution.

The network security company urged customers in mid-December to patch their appliances against ongoing attacks exploiting this vulnerability after quietly fixing the bug on November 28 in FortiOS 7.2.3 (and without releasing information that it was a zero-day).

Read more…
Source: Bleeping Computer