HQ/EMEAFind out how we can help your business
Fortinet has issued an advisory indicating that attackers can allegedly maintain read-only access to FortiGate devices even after the vulnerabilities exploited for the breach have been patched.
The company verified that malicious actors took advantage of known FortiGate vulnerabilities—specifically CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762—to acquire persistent access through a symbolic link trick.
By generating a symbolic link in the directory serving language files for FortiGate’s SSL-VPN feature, attackers connected the user filesystem to the root filesystem. This connection allowed them to access device configurations and other sensitive files.
Fortinet noted that this modification occurred in the user filesystem, enabling attackers to evade detection measures.
The symbolic link tactic can potentially be a massive risk to FortiGate devices as it bypasses patches.
This persistent symbolic link remains effective even after updating affected FortiGate devices with patched versions of FortiOS. Consequently, threat actors could continue to access the system in a read-only manner, creating a significant risk to system integrity and confidentiality.
In addition, the affected company pointed out that only FortiGate devices with SSL-VPN enabled were affected by this method. Additional assessment also revealed that the attacks were not limited to a specific industry or region, indicating broad targeting.
Fortinet has implemented several measures to mitigate the threat: deploying antivirus (AV) and intrusion prevention system (IPS) signatures, adjusting the SSL-VPN UI to block malicious symbolic links, and recommending customers upgrade to specific FortiOS versions.
On the other hand, the advised FortiOS versions—7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16—automatically eliminate the symbolic links and enhance protection against this vulnerability.
Furthermore, Fortinet has informed impacted customers and advised them to consider all configurations potentially compromised.
The company recommends that users review their device configurations thoroughly to prevent this new attack. Lastly, susceptible devices must enforce the security updates to the secure FortiOS versions.
