Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit

Apr 11, 2025Ravie LakshmananNetwork Security / Vulnerability

Fortinet has revealed that threat actors have found a way to maintain read-only access to vulnerable FortiGate devices even after the initial access vector used to breach the devices was patched.

The attackers are believed to have leveraged known and now-patched security flaws, including, but not limited to, CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762.

“A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices,” the network security company said in an advisory released Thursday. “This was achieved via creating a symbolic link connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN.”

Fortinet said the modifications took place in the user file system and managed to evade detection, causing the symbolic link (aka symlink) to be left behind even after the security holes responsible for the initial access were plugged.

This, in turn, enabled the threat actors to maintain read-only access to files on the device’s file system, including configurations. However, customers who have never enabled SSL-VPN are not impacted by the issue.

It’s not clear who is behind the activity, but Fortinet said its investigation indicated that it was not aimed at any specific region or industry. It also said it directly notified customers who were affected by the issue.

As further mitigations to prevent such problems from happening again, a series of software updates to FortiOS have been rolled out –

• FortiOS 7.4, 7.2, 7.0, 6.4 – The symlink was flagged as malicious so that it gets automatically removed by the antivirus engine
• FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16 – The symlink was removed and SSL-VPN UI has been modified to prevent the serving of such malicious symbolic links

Customers are advised to update their instances to FortiOS versions 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16, review device configurations, and treat all configurations as potentially compromised and perform appropriate recovery steps.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory of its own, urging users to reset exposed credentials and consider disabling SSL-VPN functionality until the patches can be applied. The Computer Emergency Response Team of France (CERT-FR), in a similar bulletin, said it’s aware of compromises dating all the way back to early 2023.

In a statement shared with The Hacker News, watchTowr CEO Benjamin Harris said the incident is a concern for two important reasons.

“First, in the wild exploitation is becoming significantly faster than organizations can patch,” Harris said. “More importantly, attackers are demonstrably and deeply aware of this fact.”

“Second, and more terrifying, we have seen, numerous times, attackers deploy capabilities and backdoors after rapid exploitation designed to survive the patching, upgrade and factory reset processes organizations have come to rely on to mitigate these situations to maintain persistence and access to compromised organizations.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!