Fortinet has issued a critical advisory revealing that threat actors are maintaining unauthorized, read-only access to FortiGate devices even after the initial vulnerabilities have been patched. This persistent access is achieved through a symbolic link (symlink) exploit within the SSL-VPN component, allowing attackers to bypass standard remediation efforts.
Symlink Exploit Enables Stealthy Persistence
The attackers exploited known vulnerabilities, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, to create symlinks that connect the user file system to the root file system in directories serving SSL-VPN language files. These modifications, residing in the user file system, evade detection and persist even after patches are applied, granting attackers continued read-only access to sensitive configurations.
Mitigation Measures and Recommended Actions
Fortinet has released updates across multiple FortiOS versions to address this issue:
- In FortiOS versions 7.4, 7.2, 7.0, and 6.4, the symlink is now flagged as malicious, enabling automatic removal by the antivirus engine.
- In FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16, the symlink is removed, and the SSL-VPN UI has been modified to prevent serving such malicious symlinks.
Administrators are strongly advised to update to these versions, thoroughly review device configurations, and treat all configurations as potentially compromised. Appropriate recovery steps should be undertaken to ensure system integrity.
Global Security Agencies Issue Warnings
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory urging users to reset exposed credentials and consider disabling SSL-VPN functionality until patches can be applied. Similarly, France’s Computer Emergency Response Team (CERT-FR) has acknowledged compromises dating back to early 2023, emphasizing the widespread nature of this threat.
Expert Insights on Evolving Threat Landscape
Benjamin Harris, CEO of cybersecurity firm watchTowr, highlighted the increasing speed at which attackers exploit vulnerabilities, often outpacing organizational patching efforts. He noted that attackers are deploying backdoors designed to survive standard remediation processes, including patching, upgrades, and factory resets, thereby maintaining persistent access to compromised systems.
Key Takeaways for FortiGate Users
- Update Immediately: Ensure FortiOS is updated to the latest patched versions.
- Review Configurations: Conduct comprehensive reviews of device configurations for unauthorized changes.
- Reset Credentials: Reset all potentially exposed credentials associated with the affected devices.
- Consider Disabling SSL-VPN: If immediate patching isn’t feasible, temporarily disable SSL-VPN functionality to mitigate risk.