Fortinet Devices Still Vulnerable After Patching, Hackers Retain Access
Even after applying security updates, some Fortinet FortiGate devices remain susceptible to attack, according to a new advisory from the company. Researchers have discovered that malicious actors can maintain limited, read-only access, potentially exploiting a weakness in the SSL-VPN symlink to gather sensitive information.
Fortinet has discovered that hackers are finding ways to stick around inside vulnerable FortiGate devices, even after those devices have been patched! It seems these attackers are using some clever tricks to maintain access.
The problem? They're exploiting known security holes – some that have been patched for a while. We're talking about flaws like CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, among others.
According to Fortinet's advisory, the attackers are gaining read-only access by creating a "symbolic link" – think of it as a shortcut – that connects the user file system with the root file system. This sneaky shortcut resides in a folder used for language files related to SSL-VPN.
The real kicker? These modifications are happening in the user file system, which allows them to fly under the radar. Even after patching the vulnerabilities that let them in initially, the symbolic link remains, granting persistent read-only access to files, including sensitive configuration data.
Important note: If you've never enabled SSL-VPN on your FortiGate device, you're likely not affected by this particular issue.
While the identity of the attackers remains unknown, Fortinet says the activity doesn't seem to be targeting any specific region or industry. Affected customers have been notified directly.
What's Being Done?
Fortinet has released a series of updates to FortiOS designed to prevent this from happening again:
- FortiOS 7.4, 7.2, 7.0, 6.4: The malicious symlink is now flagged and automatically removed by the antivirus engine.
- FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: The symlink is removed, and the SSL-VPN UI has been tweaked to prevent serving these kinds of malicious links.
What Should You Do?
The key takeaway? Update your FortiOS instances to versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16. Then, carefully review your device configurations and consider them potentially compromised. Follow Fortinet's recommended recovery steps.
Even government agencies are weighing in. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging users to reset credentials and potentially disable SSL-VPN until patches are applied. France's CERT-FR reports awareness of compromises dating back to early 2023.
Expert Insight
Benjamin Harris, CEO of watchTowr, shared his concerns with The Hacker News, highlighting two key issues:
First, in the wild exploitation is becoming significantly faster than organizations can patch. More importantly, attackers are demonstrably and deeply aware of this fact.
Second, and more terrifying, we have seen, numerous times, attackers deploy capabilities and backdoors after rapid exploitation designed to survive the patching, upgrade and factory reset processes organizations have come to rely on to mitigate these situations to maintain persistence and access to compromised organizations.
In short, staying vigilant and proactive is more critical than ever in today's cybersecurity landscape.
