Fortinet has warned that hackers have found a way to keep read-only access to certain FortiGate devices, even after the security holes they used were patched.
The attackers have leveraged the advantage of older, known flaws like CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, which had already been patched.
According to Fortinet, the attackers used one of the known vulnerabilities to implement a sneak-in and set up access to the device. They did this by making a symbolic link between the part of the system for users and the core part of the system. They placed this folder used for SSL-VPN language files, which helped them hide their access.
Even though the system was updated, this trick allowed the hackers to still look at files without being able to change them.
Fortinet said the hackers modified the part of the system used by users, and those changes were hard to detect. Because of that, a symbolic link was left behind, even after the original security problems were patched.
This, in turn, enabled the hackers to maintain read-only access to the device, so they could view files, including important settings, but not change anything. However, this only affects customers who have SSL-VPN turned on. If you never used SSL-VPN, you’re safe.
Fortinet doesn’t exactly know who is behind the attack, but it seems they weren’t targeting any specific country or type of business. Fortinet has already notified the affected customer directly.
To prevent this kind of problem from happening again, Fortinet released updates to FortiOS. The system software includes:
• In Fortinet 7.4, 7.2, 7.0, and 6.4, the system now recognizes the malicious symlink as harmful, so the antivirus will automatically remove it.
• In Fortinet 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16, the symlink is fully removed, and the SSL-VPN interface has been updated so that these harmful links can’t be used anymore.
Fortinet has advised customers to update to one of the fixed versions, 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16, and check their device settings carefully. If the device setup might have been compromised, take recovery steps (like restoring from backup, reviewing changes, etc.).
Meanwhile, CISA has also issued a warning asking users to reset passwords that may have been exposed. Consider turning off SSL-VPN until they can apply the security updates.
France’s CERT team also said they know of cases where hackers were breaking into devices like this as far back as early 2023.
Benjamin Harris, the CEO of Watch Tower, said this situation is worrying for two big reasons.
First, hackers are attacking much faster than most companies can patch their systems. Even worse, the hackers know this and are taking advantage of it.
Second, the scarier part is that now hackers are planting backdoors right after they break in. These tools are made to survive normal fixes, like software updates, or even after companies think they’ve cleaned everything up.
He also said they’ve found these backdoors in systems across their clients, including critical infrastructure, meaning some affected organizations are very important to public safety or national security.
