Apr 11, 2025Ravie LakshmananNetwork Security / Vulnerability

Fortinet has revealed that threat actors have found a way to maintain read-only access to vulnerable FortiGate devices even after the initial access vector used to breach the devices was patched.

The attackers are believed to have leveraged known and now-patched security flaws, including, but not limited to, CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762.

“A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices,” the network security company said in an advisory released Thursday. “This was achieved via creating a symbolic link connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN.”

Fortinet said the modifications took place in the user file system and managed to evade detection, causing the symbolic link (aka symlink) to be left behind even after the security holes responsible for the initial access were plugged.

This, in turn, enabled the threat actors to maintain read-only access to files on the device’s file system, including configurations. However, customers who have never enabled SSL-VPN are not impacted by the issue.

It’s not clear who is behind the activity, but Fortinet said its investigation indicated that it was not aimed at any specific region or industry. It also said it directly notified customers who were affected by the issue.

As further mitigations to prevent such problems from happening again, a series of software updates to FortiOS have been rolled out –

• FortiOS 7.4, 7.2, 7.0, 6.4 – The symlink was flagged as malicious so that it gets automatically removed by the antivirus engine
• FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16 – The symlink was removed and SSL-VPN UI has been modified to prevent the serving of such malicious symbolic links

Customers are advised to update their instances to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16, review device configurations, and treat all configurations as potentially compromised and perform appropriate recovery steps.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory of its own, urging users to reset exposed credentials and consider disabling SSL-VPN functionality until the patches can be applied. The Computer Emergency Response Team of France (CERT-FR), in a similar bulletin, said it’s aware of compromises dating all the way back to early 2023.

In a statement shared with The Hacker News, watchTowr CEO Benjamin Harris said the incident is a concern for two important reasons.

“First, in the wild exploitation is becoming significantly faster than organizations can patch,” Harris said. “More importantly, attackers are demonstrably and deeply aware of this fact.”

“Second, and more terrifying, we have seen, numerous times, attackers deploy capabilities and backdoors after rapid exploitation designed to survive the patching, upgrade and factory reset processes organizations have come to rely on to mitigate these situations to maintain persistence and access to compromised organizations.”

Harris also said backdoor deployments have been identified across the watchTowr client base, and that they are “seeing impact at organizations that many would clearly call critical infrastructure.”