FortiGate VPN Vulnerability: Hackers Maintain Access Even After Patches

Fortinet has issued an urgent warning to customers that hackers may retain read-only access to compromised FortiGate VPN devices even after security vulnerabilities have been patched. This sophisticated persistence technique leverages symbolic links to maintain unauthorized access, potentially exposing sensitive device configurations and data.

Backdoor Access Through Symbolic Links

Fortinet’s security team has discovered that attackers exploited previously known vulnerabilities to create a backdoor into affected systems. The attack doesn’t rely on new vulnerabilities but instead uses a clever technique to maintain persistence after initial compromise.

According to Fortinet’s alert: “FortiGuard telemetry shows that in connection with the detection of a malicious file, one or more of your devices could be compromised. This problem is not related to any new vulnerability. The file was left by the attacker after the exploitation of previous known vulnerabilities.”

The company specifically highlighted several CVEs that were likely used in the initial compromise:

• CVE-2022-42475
• CVE-2023-27997
• CVE-2024-21762

How the Attack Works

The threat actors employed a sophisticated technique to maintain access:

1. Initially compromise systems using known vulnerabilities
2. Create symbolic links in the language files folder that point to the root file system
3. These links allow read-only access to the device’s root file system via the public SSL-VPN web panel
4. Because the modification occurs in the user file system, it evades detection
5. Even after patching the original vulnerabilities, the symbolic links remain

“The attackers used known vulnerabilities to gain read-only access to FortiGate devices. This was achieved by creating a symbolic link connecting the file system related to the user space and the root file system in the language file folder for SSL-VPN,” Fortinet explained. “Since the modification took place in the user file system, the attackers managed to avoid detection.”

Widespread Campaign

While Fortinet didn’t specify the exact timeline of these attacks in their customer notification, the French Computer Emergency Response Team (CERT-FR) reported that this attack technique was part of a large-scale campaign that began in the first half of 2023.

Recommended Security Measures

Fortinet strongly urges customers to immediately update their FortiOS to the latest secure versions to eliminate the malicious files used by attackers to maintain access:

• Version 7.6.2
• Version 7.4.7
• Version 7.2.11
• Version 7.0.17
• Version 6.4.16

Beyond Patching: Additional Security Steps

Organizations using FortiGate devices should consider these additional security measures:

1. Conduct thorough security audits of potentially affected systems
2. Review logs for any suspicious activity
3. Consider changing administrative credentials
4. Implement network segmentation to limit potential damage
5. Enable multi-factor authentication where available

About Fortinet

Fortinet is a global leader in cybersecurity solutions, offering a broad range of security products including firewalls, VPNs, anti-virus, intrusion prevention systems, and endpoint security. The company focuses on providing integrated security solutions for networks, cloud environments, and remote workers. Founded in 2000, Fortinet has become one of the largest cybersecurity vendors worldwide, known for its FortiGate next-generation firewall technology and unified security management approach.

FortiGate and other devices have faced an alarming pattern of critical vulnerabilities in recent years, with this latest symbolic link persistence technique highlighting Fortinet’s ongoing struggle to fully secure their products against sophisticated threat actors who repeatedly find ways to maintain unauthorized access.