Fortinet: Hackers Retain Access to Patched Fortigate VPNs Using Symlinks
Summary:
Fortinet has issued an urgent advisory warning that threat actors are leveraging a stealthy post-exploitation persistence technique on FortiGate VPN appliances, allowing them to maintain read-only access to compromised systems even after initial vulnerabilities were patched.
Importantly, this issue does not stem from a new zero-day vulnerability. Rather, the persistence mechanism hinges on symbolic links created by attackers during exploitation of previously disclosed vulnerabilities such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. These links were created within the user-writable directory that stores SSL-VPN language files. The attackers exploited the ability to map a symbolic link from this directory to the root file system, effectively granting themselves persistent read-only access via the public-facing SSL-VPN web portal—even after the initial vulnerability was remediated. Because the change occurs in a non-system directory, it often bypasses detection and survives firmware upgrades.
In their advisory, Fortinet explained that this access allows threat actors to passively observe system configurations and potentially harvest sensitive information, such as VPN settings or account data, which could assist in further targeted attacks or lateral movement if paired with additional exploits. While no direct remote code execution is involved in this stage, the ability to monitor configurations from a compromised interface remains a significant threat to network integrity.
Security Officer Comments:
France’s national Computer Emergency Response Team, CERT-FR, confirmed that this technique has been part of a broader, ongoing campaign impacting numerous devices across French organizations, with compromise activity traced back as far as early 2023. Their response teams have observed similar symbolic link persistence during multiple incident investigations, suggesting widespread, coordinated exploitation.
Suggested Corrections:
In response, Fortinet recommends all customers upgrade their devices to the latest secure versions of FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 specifically designed to detect and remove the malicious artifacts. Additionally, administrators should thoroughly inspect all device configurations for unauthorized or unexplained modifications and consult Fortinet's support guidance for revoking and resetting exposed credentials.
CERT-FR has further advised isolating compromised appliances from the network, rotating all security credentials including passwords, identity tokens, and cryptographic keys, and scanning the broader environment for signs of lateral movement or additional compromise.
CISA also recommends:
Link(s):
https://www.bleepingcomputer.com/ne...ess-to-patched-fortigate-vpns-using-symlinks/
Fortinet has issued an urgent advisory warning that threat actors are leveraging a stealthy post-exploitation persistence technique on FortiGate VPN appliances, allowing them to maintain read-only access to compromised systems even after initial vulnerabilities were patched.
Importantly, this issue does not stem from a new zero-day vulnerability. Rather, the persistence mechanism hinges on symbolic links created by attackers during exploitation of previously disclosed vulnerabilities such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. These links were created within the user-writable directory that stores SSL-VPN language files. The attackers exploited the ability to map a symbolic link from this directory to the root file system, effectively granting themselves persistent read-only access via the public-facing SSL-VPN web portal—even after the initial vulnerability was remediated. Because the change occurs in a non-system directory, it often bypasses detection and survives firmware upgrades.
In their advisory, Fortinet explained that this access allows threat actors to passively observe system configurations and potentially harvest sensitive information, such as VPN settings or account data, which could assist in further targeted attacks or lateral movement if paired with additional exploits. While no direct remote code execution is involved in this stage, the ability to monitor configurations from a compromised interface remains a significant threat to network integrity.
Security Officer Comments:
France’s national Computer Emergency Response Team, CERT-FR, confirmed that this technique has been part of a broader, ongoing campaign impacting numerous devices across French organizations, with compromise activity traced back as far as early 2023. Their response teams have observed similar symbolic link persistence during multiple incident investigations, suggesting widespread, coordinated exploitation.
Suggested Corrections:
In response, Fortinet recommends all customers upgrade their devices to the latest secure versions of FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 specifically designed to detect and remove the malicious artifacts. Additionally, administrators should thoroughly inspect all device configurations for unauthorized or unexplained modifications and consult Fortinet's support guidance for revoking and resetting exposed credentials.
CERT-FR has further advised isolating compromised appliances from the network, rotating all security credentials including passwords, identity tokens, and cryptographic keys, and scanning the broader environment for signs of lateral movement or additional compromise.
CISA also recommends:
- Upgrade to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16 to remove the malicious file and prevent re-compromise.
- Review the configuration of all in-scope devices.
- Reset potentially exposed credentials.
- As a work-around mitigation until the patch is applied, consider disabling SSL-VPN functionality, as exploitation of the file requires the SSL-VPN to be enabled.
Link(s):
https://www.bleepingcomputer.com/ne...ess-to-patched-fortigate-vpns-using-symlinks/