Fortinet has disclosed a concerning issue where threat actors maintain read-only access to compromised FortiGate devices, even after patching the initial breach. The attackers exploited known vulnerabilities, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, to gain access. The malicious activity involved creating a symbolic link between the user file system and the root file system, which went undetected, leaving the symlink intact even after the original vulnerabilities were patched. This allowed the attackers to retain read-only access to sensitive device files, such as configurations.
Fortinet’s investigation revealed that the attack was not focused on any specific region or industry. Affected customers who used SSL-VPN were notified directly by Fortinet. In response, Fortinet has released several software updates for FortiOS versions 7.4, 7.2, 7.0, and 6.4, which automatically detect and remove the symlink through antivirus engines.
These updates also modify the SSL-VPN interface to block the malicious symbolic links from being served to the device.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended that users reset exposed credentials and consider disabling SSL-VPN functionality until the updates are applied. Similarly, the Computer Emergency Response Team of France (CERT-FR) highlighted that compromises had been detected dating back to early 2023.
Fortinet urged users to update their systems to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 to prevent further exploitation, and to review their configurations as potentially compromised.
WatchTowr CEO Benjamin Harris expressed concern over the rapid exploitation of vulnerabilities, warning that attackers are increasingly deploying backdoors designed to persist beyond patching efforts. Harris pointed out that backdoors have been found in organizations considered critical infrastructure. The incident underscores a growing challenge where cybercriminals adapt quickly, maintaining access even after patches are applied, raising the stakes for cybersecurity in critical sectors.
