Full Report
Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. [...]
Analysis Summary
# Vulnerability: FortiGate Symlink Persistence Post-Patching
## CVE Details
- CVE ID: Not explicitly provided in the text, but relates to persistence mechanisms following exploitation of previous vulnerabilities patched by Fortinet.
- CVSS Score: Not explicitly scored in the text.
- CWE: Likely related to Improper Access Control or Path Traversal errors leading to unauthorized file system access.
## Affected Systems
- Products: FortiGate VPN devices running FortiOS.
- Versions: Devices that were previously patched for initial exploitation vectors but might still contain remnants allowing for persistence. Specific vulnerable versions are implied to be those where earlier fixes were incomplete against this specific technique.
- Configurations: Devices that were exploited using a symbolic link (symlink) technique, potentially leaving read-only access files behind.
## Vulnerability Description
The vulnerability involves a post-exploitation persistence mechanism where an attacker utilizes a symbolic link (symlink) trick on FortiGate devices. This technique allows threat actors who previously exploited vulnerabilities—even on devices where initial fixes were applied—to maintain read-only access to files on the device's file system, which may include critical configuration files. Attacks using this technique have been ongoing since early 2023, according to CERT-FR.
## Exploitation
- Status: Implied to be actively exploited for persistence, dating back to early 2023 ("massive campaign").
- Complexity: Implied to be reasonably effective for maintaining access post-initial compromise, suggesting **Medium** to **High** complexity for an attacker focused on persistence.
- Attack Vector: Likely initiated via network access (exploiting the VPN component), leading to local file system manipulation.
## Impact
- Confidentiality: **High** (Read-only access to configurations suggests access to sensitive data).
- Integrity: **Moderate** (Primarily read access, reducing immediate integrity loss, but persistence itself compromises expected trust boundaries).
- Availability: **Low** (Direct impact unknown, but persistence could lead to future disruption).
## Remediation
### Patches
Fortinet strongly advises immediate upgrade to the latest versions of FortiOS to remove malicious files used for persistence:
- FortiOS **7.6.2**
- FortiOS **7.4.7**
- FortiOS **7.2.11**
- FortiOS **7.0.17**
- FortiOS **6.4.16**
### Workarounds
1. Isolate compromised VPN devices from the network.
2. Reset all secrets, including credentials, certificates, identity tokens, and cryptographic keys.
3. Review device configurations immediately for any unexpected changes.
4. Follow guidance provided in the technical support document regarding resetting potentially exposed credentials.
## Detection
- Indicators of Compromise (IOCs): Presence of malicious files left behind via the symlink technique that enable read-only access.
- Detection Methods and Tools:
- Review device configurations for unexpected changes.
- Utilize forensic analysis to search for evidence of lateral network movement.
- CISA advises reporting any incidents or anomalous activity related to this finding to their Operations Center.
## References
- Vendor Advisory: Fortinet support document (link provided in source, context truncated).
- CERT-FR Alert: hxxps://www.cert.ssi.gouv.fr/alerte/CERTFR-2025-ALE-004/
- CISA Advisory: hxxps://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities
- Fortinet Guidance on Resetting Credentials: hxxps://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-steps-to-execute-in-case-of-a/ta-p/230694