Full Report
Fortinet has revealed that threat actors have found a way to maintain read-only access to vulnerable FortiGate devices even after the initial access vector used to breach the devices was patched. The attackers are believed to have leveraged known and now-patched security flaws, including, but not limited to, CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. "A threat actor used a known
Analysis Summary
This summary focuses on the post-exploitation persistence mechanism leveraged by attackers, often following exploitation of previously disclosed FortiGate vulnerabilities.
# Vulnerability: Post-Patch Persistence via FortiGate SSL-VPN Symlink Creation
## CVE Details
- CVE ID: Not assigned to the persistence flaw itself, but the persistence is linked to prior exploitation of vulnerabilities like **CVE-2022-42475**, **CVE-2023-27997**, and **CVE-2024-21762**.
- CVSS Score: N/A (This summary details a post-exploitation technique, not the initial vulnerability score)
- CWE: Could relate to Improper Link Handling or directory traversal if the initial exploit allowed it, but the persistence method uses symlinks in a language file directory.
## Affected Systems
- Products: FortiGate devices running FortiOS.
- Versions: Affected versions are those susceptible to the prior remote execution vulnerabilities, particularly those utilizing SSL-VPN functionality. Patch notes imply maintenance across several branches.
- Configurations: Systems must have **SSL-VPN enabled and running** to be susceptible to the initial compromise leading to this persistence method. Systems with SSL-VPN disabled are not impacted by this specific post-exploitation activity.
## Vulnerability Description
Threat actors are leveraging known, previously patched vulnerabilities (such as CVE-2022-42475, CVE-2023-27997, CVE-2024-21762) to gain initial access to FortiGate devices. After exploitation, the attacker implants a **symbolic link (symlink)** within a folder used for serving SSL-VPN language files. This symlink connects the user file system path to the root file system. Even after the initial vulnerability used for access is patched, this persistent symlink allows the threat actors to maintain **read-only access** to files on the device's file system, including configuration files.
## Exploitation
- Status: **Exploited in the wild** (Attackers are actively using this technique post-patching of initial access vectors).
- Complexity: The complexity depends on the initial access vector used, but the persistence mechanism itself relies on knowledge of the file system layout.
- Attack Vector: Network (initial access via SSL-VPN), followed by local file system manipulation for persistence.
## Impact
- Confidentiality: **High** (Attackers gain read-only access to sensitive device files and configurations).
- Integrity: **Low/Medium** (Focus is on read-only access, but reading configurations can aid future attacks).
- Availability: **Low** (The primary impact is compromise of confidentiality, not service disruption).
## Remediation
### Patches
Fortinet has released updates across multiple FortiOS branches to remove the malicious symlink and prevent future instances:
- **FortiOS 7.6.2**
- **FortiOS 7.4.7**
- **FortiOS 7.2.11**
- **FortiOS 7.0.17**
- **FortiOS 6.4.16**
These versions include specific modifications:
1. The malicious symlink is flagged so that the antivirus engine automatically removes it.
2. The SSL-VPN UI is updated to prevent the serving of such malicious symbolic links.
### Workarounds
1. **Disable SSL-VPN functionality** until appropriate patches are applied, as advised by CISA.
2. **Review device configurations** for any signs of compromise, treating all configurations as potentially compromised.
3. Perform **appropriate recovery steps** as recommended by Fortinet community guides.
4. **Reset exposed credentials** that may have been revealed via the read-only access.
## Detection
- Indicators of compromise (IOCs) center around the presence of the malicious symbolic link planted in language file directories, or file system modifications coinciding with historical exploitation of the underlying RCE flaws.
- Detection methods involve forensic analysis of the file system and checking configurations against known-good states, especially in directories serving SSL-VPN language files. Specific updates ensure the AV engine flags and removes the symlink.
## References
- Fortinet Advisory: hxxps://www[.]fortinet[.]com/blog/psirt-blogs/analysis-of-threat-actor-activity
- CISA Advisory: hxxps://www[.]cisa[.]gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities
- CERT-FR Bulletin: hxxps://www[.]cert[.]ssi[.]gouv[.]fr/alerte/CERTFR-2025-ALE-004/
- Fortinet Recovery Steps: hxxps://community[.]fortinet[.]com/t5/FortiGate/Technical-Tip-Recommended-steps-to-execute-in-case-of-a/ta-p/230694