Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices

A threat actor that has been using known old FortiOS vulnerabilities to breach FortiGate devices for years has also been leveraging a clever trick to maintain undetected read-only access to them after the original access vector was locked down, Fortinet has revealed on Thursday.

“[Read-only access] was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN,” Fortinet CISO Carl Windsor explained.

“This modification took place in the user filesystem and avoided detection. Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations.”

He did not say when Fortinet first detected the use of this post-exploitation technique, nor did he share for how long they believe the threat actor had been using the technique.

Fortinet warns

The threat actor has been and is exploiting CVE-2022-42475, CVE-2023-27997 and CVE-2024-21762 to achieve remote code execution.

Windsor said that in FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16, the the malicious symbolic link is automatically removed and the SSL-VPN user interface is prevented from serving such malicious symbolic links.

Even before that, the company released FortiOS versions 7.4, 7.2, 7.0, and 6.4, with an AV/IPS signature to detect and clean the symbolic link from impacted devices, though this worked only if “the [IPS] engine was licensed and enabled.”

Earlier this week, Fortinet started sending out an email notice to an unknown number of customers, saying that their telemetry shows they had been affected and advising them to take immediate action by:

• Upgrading to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17 or 6.4.16 to remove the malicious file and prevent a new compromise
• Reviewing the configuration of the device but also treating it as potentially compromised
• Going through the steps outlined here, which include resetting all users’ credentials, revoking certificates, resetting secrets, etc.

CERTs advise

The German Federal Office for Information Security (BSI) has issued a security notice advising organizations using Fortinet’s firewalls to check whether they have been or are affected and take further protective measures.

“In this context, they should particularly check whether any unsuccessful attempts to contact the manufacturer via the established communication channels with Fortinet have been made in recent weeks,” the BSI said.

“If a compromise is detected, extensive forensic analysis of the device itself and investigations of other network components for suspicious activity should be conducted before the reset to rule out a deeper compromise of the network. For environments with increased security requirements, the BSI recommends, in addition to installing patches, also evaluating the preventive exchange of relevant access credentials … to counteract the risk of a possible leak of configuration and access data.”

The BSI finally pointed out that, in Germany, as of April 10, 2025, there are still almost 700 FortiGate devices vulnerable to CVE-2024-21762.

The French Computer Emergency Response Team (CERT-FR) said that it is aware of a massive campaign involving numerous devices in France compromised through the aforementioned vulnerabilities. “During incident response operations, CERT-FR became aware of compromises that occurred since early 2023,” they said, and advised on how to perform a full investigation into whether the attacker got beyond the firewall.

In early 2025, a threat actor leaked configuration files containing admin and VPN user credentials for over 15,000 Fortinet Fortigate firewalls. It is believed that the threat actor extracted those files after exploiting a FortiOS authentication bypass vulnerability (CVE-2022–40684).

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!