Fortinet has identified a technique used by threat actors to retain unauthorized, read-only access to FortiGate devices even after the associated vulnerabilities were patched, reports The Hacker News. The attackers exploited a known vulnerability to insert a symbolic link (symlink) that connects the user file system to the root file system. This symlink was placed in a directory tied to the SSL-VPN language file function, allowing persistent access without triggering alerts.
The exploit involves previously disclosed vulnerabilities such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. While these flaws have been addressed, the symlink remains in place unless explicitly removed, granting attackers continued visibility into device configurations. The tactic bypasses typical detection methods, and the read-only nature of the access means that although no direct changes can be made, sensitive data may still be exposed. Devices with SSL-VPN functionality disabled are not affected.
To counter the issue, Fortinet has implemented targeted updates across FortiOS versions, including automated removal of the symlink through antivirus detection and changes to the SSL-VPN interface to prevent similar abuses. Customers are advised to upgrade to the latest FortiOS versions and thoroughly inspect and recover configurations, treating all existing ones as potentially compromised.
Security agencies including CISA and CERT-FR have issued warnings, noting that related compromises may date back to early 2023. Experts have highlighted a growing trend in which attackers quickly exploit known flaws and embed persistence mechanisms capable of surviving traditional remediation efforts—posing a long-term risk, especially for critical infrastructure organizations.
