Fortinet Warns of Persistent Read-Only Access in FortiGate Devices Despite Patching
Fortinet has issued a new security advisory revealing that threat actors have found a method to retain read-only access to FortiGate devices, even after the vulnerabilities initially used for exploitation were patched.
The attackers reportedly exploited a series of known and now-remediated vulnerabilities, such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. Fortinet explained that the threat actors used these flaws to create a symbolic link (symlink) connecting the user file system and the root file system in a directory that serves language files for the SSL-VPN feature.
This technique enabled stealthy persistence by modifying the user file system in a way that evaded detection. Even after the original vulnerabilities were patched, the symlink remained, allowing continued access to configuration files and other system data in a read-only mode.
The issue does not affect users who have never enabled SSL-VPN, according to Fortinet. Although the attackers’ identities remain unknown, the company noted that the campaign does not appear to target any specific industry or geographic region. Fortinet has directly notified impacted customers.
To combat the threat, Fortinet has released a series of FortiOS software updates that include both removal of the symlink and modifications to the SSL-VPN UI to block future exploitation attempts. Key updates include:
- Antivirus engine updates in FortiOS versions 7.4, 7.2, 7.0, and 6.4 to automatically flag and delete malicious symlinks.
- System-level patches in FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16 to remove the symlink and secure the SSL-VPN interface.
Fortinet advises all customers to upgrade to the latest FortiOS versions, review device configurations thoroughly, treat them as potentially compromised, and take appropriate recovery measures.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued a bulletin urging users to reset exposed credentials and consider disabling SSL-VPN until patches are applied. Similarly, France's CERT-FR reported that compromises may have begun as early as early 2023.
Benjamin Harris, CEO of watchTowr, voiced concerns about the incident, stating that the situation reflects a growing trend in which threat actors are exploiting systems faster than organizations can respond. He emphasized a worrying reality where attackers are now deploying persistent backdoors designed to survive patching, upgrades, and even factory resets.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
