Fortinet has issued an urgent advisory warning that threat actors are employing a sophisticated post-exploitation technique to maintain access to previously compromised FortiGate VPN devices, even after the original vulnerabilities have been patched.
The security firm began alerting customers last week through emails marked “Notification of device compromise – FortiGate / FortiOS – ** Urgent action required **” with a TLP+STRICT designation, indicating the sensitive nature of the information.
“This issue is not related to any new vulnerability. This file was left behind by a threat actor following exploitation of previous known vulnerabilities,” Fortinet explained in these communications, referencing vulnerabilities including but not limited to CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762.
Fortinet said during their investigation, “a threat actor was observed using known vulnerabilities (e.g. FG-IR-22-398, FG-IR-23-097, FG-IR-24-015) to gain access to Fortinet devices.”
“The targeting of known, unpatched vulnerabilities by a threat actor is not new and has been previously examined; this specific finding is the result of a threat actor taking advantage of a known vulnerability with a new technique to maintain read-only access to vulnerable FortiGate devices after the original access vector was locked down.”
According to the company, attackers who previously breached servers using known vulnerabilities created symbolic links (symlinks) in the language files folder that point to the root file system on devices with SSL-VPN enabled.
This clever technique allows attackers to maintain read-only access to the root filesystem through the publicly accessible SSL-VPN web panel even after they’ve been discovered and the original vulnerability has been patched.
“A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN,” Fortinet explained. “This modification took place in the user filesystem and avoided detection.”
While Fortinet did not specify the timeframe of these attacks, the Computer Emergency Response Team of France (CERT-FR), part of the country’s National Agency for the Security of Information Systems (ANSSI), revealed that this technique has been deployed in a massive attack campaign dating back to early 2023.
The Cybersecurity and Infrastructure Security Agency (CISA) has also responded, advising network defenders to report any incidents and anomalous activity related to Fortinet’s advisory to its 24/7 Operations Center.
Fortinet has urged customers to immediately upgrade their FortiGuard firewalls to the latest version of FortiOS (7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16).
Additionally, administrators are advised to:
- Review device configurations immediately, focusing on unexpected changes
- Follow guidance in Fortinet’s support documentation for resetting potentially exposed credentials on compromised devices
“It is critically important for all organizations to keep their devices up to date,” Fortinet said.
“A variety of government organizations have reported state sponsored threat actors are targeting all vendors, including known but unpatched vulnerabilities. In general, the best defense against any known vulnerability is following good cyber hygiene practices, including upgrading.”
