On April 11, 2025, Fortinet disclosed that threat actors have discovered a method to maintain read-only access to vulnerable FortiGate devices even after the initial breach vector was patched. The attackers exploited known security flaws such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. Fortinet explained that the threat actor utilized a known vulnerability to establish read-only access by creating a symbolic link between the user file system and the root file system in a folder serving language files for the SSL-VPN.
The modifications made by the threat actors in the user file system went undetected, allowing the symbolic link to persist even after the initial security vulnerabilities were fixed. This allowed the threat actors to maintain read-only access to files on the device’s file system, including configurations. However, customers who did not enable SSL-VPN were not affected by this issue. Fortinet stated that the activity was not targeted at any specific region or industry and notified affected customers directly.
To prevent similar incidents, Fortinet released software updates for FortiOS versions 7.4, 7.2, 7.0, and 6.4, which automatically remove the malicious symlink flagged by the antivirus engine. Additionally, FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16 removed the symlink and modified the SSL-VPN UI to prevent the serving of such malicious links. Customers are advised to update their instances to the recommended FortiOS versions, review device configurations, and treat all configurations as potentially compromised.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory recommending users to reset exposed credentials and consider disabling SSL-VPN functionality until patches are applied. The Computer Emergency Response Team of France (CERT-FR) acknowledged compromises dating back to early 2023. WatchTowr CEO Benjamin Harris expressed concerns over the incident, emphasizing the increasing speed of exploitation compared to patching and the attackers’ capability to deploy backdoors for persistence even after mitigation measures are taken.
Source link