Fortinet reports hacker technique for Persistent Access to FortiGate Devices after patching
Take action: Update all FortiGate devices to the latest recommended FortiOS versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16) immediately to remove any potential malicious symbolic link that have been installed if the devices were compromised. Even if you have patched before, you still may be exposed to attacker access. If you're using SSL-VPN functionality, consider disabling it until patches are applied, and treat all configurations as potentially compromised until you apply the latest fixes.
Learn More
Fortinet is reporting a post-exploitation technique used by threat actors to maintain persistent read-only access to vulnerable FortiGate devices. This is insight into how attackers use known vulnerabilities with new techniques to maintain unauthorized access even after security patches have been applied.
Threat actors exploited several known vulnerabilities to gain initial access to FortiGate devices, including:
- FG-IR-22-398 (likely corresponds to CVE-2022-42475)
- FG-IR-23-097 (likely corresponds to CVE-2023-27997)
- FG-IR-24-015 (likely corresponds to CVE-2024-21762)
To remain iin the system, the attackers employed a technique that involved creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification occurred in the user filesystem, effectively evading detection mechanisms. Even after customers updated their devices with FortiOS versions addressing the original vulnerabilities, the symbolic link remained, allowing the threat actor to maintain read-only access to files on the device's filesystem, including sensitive configuration files.
Devices that never had SSL-VPN enabled are not impacted by this issue.
Fortinet's investigation, conducted using internal telemetry and in collaboration with third-party organizations, indicated that this threat actor activity was not targeted to any specific region or industry. The company has directly notified customers identified as impacted based on available telemetry.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued its own advisory urging users to reset exposed credentials and consider disabling SSL-VPN functionality until patches can be applied. The Computer Emergency Response Team of France (CERT-FR) noted awareness of compromises dating back to early 2023.
Fortinet implemented several mitigation measures:
- Created an AV/IPS signature to detect and clean the symbolic link from impacted devices
- Made changes to the latest releases to detect and remove the symbolic link
- Ensured the SSL-VPN only serves expected files
- Released multiple FortiOS mitigations:
- FortiOS 7.4, 7.2, 7.0, 6.4: Flagged the symbolic link as malicious by the AV/IPS engine for automatic removal if licensed and enabled
- FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16: Upgrading to these versions will remove the malicious symbolic link
- FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16: Modified the SSL-VPN UI to prevent serving such malicious symbolic links
Fortinet recommends all customers take the following steps:
- Upgrade all devices to 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16
- Review the configuration of all devices
- Treat all configurations as potentially compromised and follow recommended recovery steps available at: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-steps-to-execute-in-case-of-a/ta-p/230694
According to Fortinet's Global Threat Landscape Report, threat actors are exploiting known vulnerabilities on average 4.76 days after public disclosure.
