Fortinet discovered a new technique used by threat actors to maintain access to FortiGate devices, even after known vulnerabilities were patched. The company has since taken action to notify affected customers and provide mitigation guidance.
What Happened?
Fortinet’s internal security team found that malicious actors were exploiting known vulnerabilities—specifically FG-IR-22-398, FG-IR-23-097, and FG-IR-24-015—to gain access to devices.
While targeting unpatched systems is not new, Fortinet observed a novel post-exploitation method that allowed bad actors to maintain read-only access to FortiGate systems even once the initial vulnerabilities were addressed.
The attackers created a symbolic link—a kind of shortcut—that connected the user filesystem with the root filesystem within a folder used by the SSL-VPN feature. This helped them evade detection and access files, including potential device configurations, without alerting administrators.
Who Is Affected?
Customers who never enabled SSL-VPN on their FortiGate devices will not be impacted. Fortinet said it worked with third-party entities to assess the scope of this threat and found that the activity was not targeted at any specific industry or region.
Fortinet also issued antivirus and intrusion prevention signatures to detect and remove the malicious link and released updated FortiOS versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16) that automatically eliminate the vulnerability. It also updated the SSL-VPN interface to prevent similar exploitation methods in the future.
Upgrade Immediately
Fortinet is urging all customers—impacted or not—to upgrade to the latest FortiOS versions to ensure full protection. It says keeping systems updated is a cornerstone of strong cyber hygiene.
“It is critically important for all organizations to keep their devices up to date,” the company said. “A variety of government organizations have reported state-sponsored threat actors are targeting all vendors, including known but unpatched vulnerabilities. Generally, the best defense against any known vulnerability is following good cyber hygiene practices, including upgrading.”
Official recovery steps have been provided in Fortinet’s technical guide.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.