Fortinet warns that threat actors can retain read-only access to FortiGate devices even after the original vulnerability used for the breach has been patched.
The cybersecurity firm revealed that attackers exploited known FortiGate flaws like CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 to gain persistent read-only access via a symlink in SSL-VPN language folders.
“A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection.” reads the advisory published by Fortinet. “Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations.”
Fortinet pointed out that only devices with SSL-VPN enabled are impacted. The company added that scans show the attacks weren’t limited to any specific region or industry.
Fortinet mitigated the attack by deploying AV/IPS signatures, updating releases to block the symbolic link, and urging customers to patch devices while maintaining transparency.
The company did not link the attacks to a certain threat actor, however, the investigation is still ongoing.
Below are the FortiOS mitigations released by the company:
The cybersecurity vendor notified impacted customers and provided the following mitigations:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FortiOS)