Information Security Advisories

Information on relevant CVEs and security issues for clients

December 2022

Description: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Severity: 9.3
Impact to CoreWeave Platform: Currently no known impact to CoreWeave Platform
Potentially Affected Clients: Clients using FortiOS
Recommended Actions: Vendor-recommended mitigations
FortiGuard Labs has confirmed at least one instance of vulnerability CVE-2022-42475 being exploited in the wild. Given the high value (CVE critical severity rating 9.3) and relatively low complexity of this vulnerability, CoreWeave strongly recommends upgrading to an unaffected version of FortiOS on an accelerated patch schedule, according to vendor recommendations. Vulnerability checks for CVE-2022-42475 are available from a variety of sources. Please use caution when running any script or application to ensure it is safe.
At this time there is no impact to CoreWeave's platform, however customers who have FortiOS running within their environment are advised to review the vendor-recommended mitigations, and take appropriate self measures to upgrade their deployments and evaluate their systems for any indicators of compromise. Our cyber security team is closely monitoring the situation, and will provide important updates should more information become available.