CyberSecurityBoard
Sponsor Register Login

Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks

Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. The advisory says that when the threat actors previously breached servers using older vulnerabilities, they created symbolic links in the language files folder to the root file system on devices with SSL-VPN enabled. While Fortinet didn't reveal the exact timeframe of these attacks, the Computer Emergency Response Team of France (CERT-FR), part of the country's National Agency for the Security of Information Systems (ANSSI), revealed on Thursday that this technique has been used in a massive wave of attacks going back to early 2023. Earlier this week, Fortinet began sending emails to customers warning that their FortiGate/FortiOS devices were compromised based on telemetry received from FortiGuard devices. In the emails sent earlier this week, Fortinet advised customers to immediately upgrade their FortiGuard firewalls to the latest version of FortiOS (7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16) to remove the malicious files used for persistence. CERT-FR also recommended isolating compromised VPN devices from the network, resetting all secrets (credentials, certificates, identity tokens, cryptographic keys, etc), and searching for evidence of lateral network movement. Today, CISA also advised network defenders to report any incidents and anomalous activity related to Fortinet's report to its 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. After BleepingComputer contacted Fortinet with questions about these emails, the company released an advisory on Thursday warning about this new exploitation technique. "A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This file was left behind by a threat actor following exploitation of previous known vulnerabilities," the emails said, including but not limited to CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. "CERT-FR is aware of a massive campaign involving numerous compromised devices in France. This allows them to maintain read-only access to the root filesystem through the publicly accessible SSL-VPN web panel even after they're discovered and evicted.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 11 Apr 2025 16:30:26 +0000


Cyber News related to Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks

Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks - Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. The advisory says that when the threat ...
1 day ago Bleepingcomputer.com CVE-2022-42475
Exploitation activity increasing on Fortinet vulnerability - Exploitation activity appears to be ramping up against a critical Fortinet vulnerability that was disclosed and patched last month. In a security advisory on Feb. 8, Fortinet detailed a zero-day vulnerability in FortiOS, tracked as CVE-2024-21762 or ...
1 year ago Techtarget.com CVE-2024-21762 CVE-2024-27162
A look at Fortinet's week to forget The Register - Security researchers have urged users to patch vulnerable VPNs as soon as possible since the vulnerability is understood to be easily exploitable. The only workaround recommended by Fortinet is to disable the SSL VPN. Disabling webmode won't mitigate ...
1 year ago Go.theregister.com CVE-2024-23113 CVE-2024-23108 CVE-2024-23109 CVE-2023-34992
5 Best VPNs for Travel in 2024 - VPNs are software that encrypt your online activity and adjust your IP address, protecting sensitive company data and allowing you to access geo-restricted content at the same time. In this article, we take a look at the five best VPNs for travelers. ...
1 year ago Techrepublic.com
Hackers Actively Exploits Patched Fortinet FortiGate Devices to Gain Root Access - To bolster defenses, Fortinet has introduced enhanced security features in recent updates, including compile-time hardening, virtual patching, firmware integrity validation, and automated upgrade tools like Uninterrupted Cluster Upgrade and Automatic ...
13 hours ago Cybersecuritynews.com
Fortinet: Symlink trick gives access to patched FortiGate VPN devices - Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. The advisory says that when the threat ...
1 day ago Bleepingcomputer.com CVE-2022-42475
CISA warns Fortinet zero-day vulnerability under attack - CISA urged users to address two critical Fortinet vulnerabilities in products that are commonly targeted by the Chinese nation-state threat group Volt Typhoon, and one flaw is already being exploited in the wild. Fortinet published two separate ...
1 year ago Techtarget.com CVE-2024-21762 CVE-2024-22024 CVE-2023-27997 CVE-2024-23113 Volt Typhoon
Unveiling Free VPN Risks: Protecting Online Privacy and Security - If you're seeking enhanced security and privacy for your online activities, you might be considering the use of a Virtual Private Network. Virtual Private Networks are specifically crafted to accomplish this task. A quality VPN channels your web ...
1 year ago Cysecurity.news Slug
VPN for Your Phone: Key to Global Email Security While Traveling - You'll need to enter the details of your VPN connection, including the VPN name, type, server address, and any required authentication credentials. One essential way to use a VPN is to protect your email communications. A VPN can be side-loaded for ...
1 year ago Securityboulevard.com
Zcaler ThreatLabz 2024 VPN Risk Report - The growing sophistication of cyberthreats alongside the expansion of remote workforces and cloud technologies have exposed significant vulnerabilities in VPNs. Due to their legacy architecture, VPNs grant overly broad network access once credentials ...
10 months ago Cybersecurity-insiders.com
Netherlands reveals Chinese spies attacked its defense dept The Register - Dutch authorities are lifting the curtain on an attempted cyberattack last year at its Ministry of Defense, blaming Chinese state-sponsored attackers for the espionage-focused intrusion. Specialists from the Netherlands' Military Intelligence and ...
1 year ago Go.theregister.com CVE-2022-42475
Fortinet Warns of Yet Another Critical RCE Flaw - Fortinet has patched a critical remote code execution vulnerability in its FortiClient Enterprise Management Server for managing endpoint devices. The flaw, identified as CVE-2024-48788, stems from an SQL injection error in a direct-attached storage ...
1 year ago Darkreading.com CVE-2024-48788 CVE-2023-27997 CVE-2022-40684 CVE-2023-34993 CVE-2023-34991 CVE-2023-48782 CVE-2023-42783 Volt Typhoon
Chinese Hackers Exploited Fortinet VPN Vulnerability - Analysis of a Zero Day - Cybersecurity threats from Chinese hackers have been on the rise in recent times, and now it has been revealed that they have exploited a Fortinet VPN vulnerability in order to launch a zero day attack. This article will take a look at the Fortinet ...
2 years ago Securityweek.com
Attackers Target Check Point VPNs to Access Corporate Networks - In recent months, researchers have observed an increase in attackers using remote access virtual private networks as a golden ticket for initial network access. Multiple cybersecurity vendors' solutions have been compromised, according to a recent ...
10 months ago Darkreading.com
Fortinet unveils networking solution integrated with Wi-Fi 7 - Fortinet announced a comprehensive secure networking solution integrated with Wi-Fi 7. Fortinet's first Wi-Fi 7 access point, FortiAP 441K, delivers increased speed and capacity, and the new FortiSwitch T1024 is purpose-built with 10 Gigabit Ethernet ...
1 year ago Helpnetsecurity.com
New SuperBlack ransomware exploits Fortinet auth bypass flaws - A new ransomware operator named 'Mora_001' is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. When Fortinet first disclosed CVE-2024-55591 on ...
4 weeks ago Bleepingcomputer.com LockBit CVE-2024-55591
Understanding the Complexities of VPNs: Balancing Privacy and Security in the Digital Age - A U.S. traveler in Europe might face restrictions accessing certain paid streaming services available in the U.S., which can be circumvented by a VPN masking the local European IP address, thus granting access to U.S.-based content. While VPNs appear ...
11 months ago Cysecurity.news
New Fortinet RCE bug is actively exploited, CISA confirms - CISA confirmed today that attackers are actively exploiting a critical remote code execution bug patched by Fortinet on Thursday. The flaw is due to an out-of-bounds write weakness in the FortiOS operating system that can let unauthenticated ...
1 year ago Bleepingcomputer.com CVE-2023-34992 Volt Typhoon
Fortinet warns of critical command injection bug in FortiSIEM - Fortinet is alerting customers of a critical OS command injection vulnerability in FortiSIEM report server that could be exploited by remote, unauthenticated attackers to execute commands through specially crafted API requests. FortiSIEM is a ...
1 year ago Bleepingcomputer.com CVE-2023-36553 CVE-2023-34992 LockBit
5 Best VPNs for Android in 2024 - See details VIsit ProtonVPN. see details Visit CyberGhost VPN. As more Android users rely on their smartphones to surf the web, virtual private networks have become essential tools to help secure your mobile connection, no matter where you are. One ...
1 year ago Techrepublic.com
Fortinet enhances its OT security solutions and services - Fortinet announced the latest release of new, integrated operational technology security solutions and services. These additions further distance Fortinet's industry-leading OT Security Platform from the rest of the market. The number of industrial ...
1 year ago Helpnetsecurity.com Rocke
6 Best Anonymous VPNs for 2024 - VPNs are primarily used to secure online traffic and help users remain anonymous to avoid targeted ads, hide their location or ensure the security and privacy of their personal data. Though many VPN providers may advertise having a no-logs policy, ...
1 year ago Techrepublic.com
Cybersecurity Insiders - As the threat landscape rapidly evolves, VPNs cannot provide the secure, segmented access organizations need. The 2023 VPN Risk Report reveals the complexity of today's VPN management, user experience issues, vulnerabilities to diverse cyberattacks, ...
1 year ago Cybersecurity-insiders.com
Critical FortiSwitch flaw lets hackers change admin passwords remotely - "An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request," Fortinet says. Fortinet has released security patches for a critical ...
3 days ago Bleepingcomputer.com CVE-2024-54024
Fortinet Adds Generative AI Tool to Security Operations Portfolio - Fortinet today added a generative artificial intelligence tool to its portfolio to eliminate a range of manual tasks that security operations teams would otherwise need to perform. John Maddison, chief marketing officer for Fortinet, said Fortinet ...
1 year ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)