CyberSecurityBoard
Sponsor Register Login

Fortinet: Symlink trick gives access to patched FortiGate VPN devices

Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. The advisory says that when the threat actors previously breached servers using older vulnerabilities, they created symbolic links in the language files folder to the root file system on devices with SSL-VPN enabled. While Fortinet didn't reveal the exact timeframe of these attacks, the Computer Emergency Response Team of France (CERT-FR), part of the country's National Agency for the Security of Information Systems (ANSSI), revealed on Thursday that this technique has been used in a massive wave of attacks going back to early 2023. Earlier this week, Fortinet began sending emails to customers warning that their FortiGate/FortiOS devices were compromised based on telemetry received from FortiGuard devices. In the emails sent earlier this week, Fortinet advised customers to immediately upgrade their FortiGuard firewalls to the latest version of FortiOS (7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16) to remove the malicious files used for persistence. CERT-FR also recommended isolating compromised VPN devices from the network, resetting all secrets (credentials, certificates, identity tokens, cryptographic keys, etc), and searching for evidence of lateral network movement. Today, CISA also advised network defenders to report any incidents and anomalous activity related to Fortinet's report to its 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. After BleepingComputer contacted Fortinet with questions about these emails, the company released an advisory on Thursday warning about this new exploitation technique. "A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This file was left behind by a threat actor following exploitation of previous known vulnerabilities," the emails said, including but not limited to CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. "CERT-FR is aware of a massive campaign involving numerous compromised devices in France. This allows them to maintain read-only access to the root filesystem through the publicly accessible SSL-VPN web panel even after they're discovered and evicted.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 11 Apr 2025 16:10:13 +0000


Cyber News related to Fortinet: Symlink trick gives access to patched FortiGate VPN devices

Fortinet: Symlink trick gives access to patched FortiGate VPN devices - Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. The advisory says that when the threat ...
2 months ago Bleepingcomputer.com CVE-2022-42475
Zcaler ThreatLabz 2024 VPN Risk Report - The growing sophistication of cyberthreats alongside the expansion of remote workforces and cloud technologies have exposed significant vulnerabilities in VPNs. Due to their legacy architecture, VPNs grant overly broad network access once credentials ...
1 year ago Cybersecurity-insiders.com
Mullvad VPN Review: Features, Pricing, Pros & Cons - Visit Mullvad VPN. Mullvad VPN has built a solid reputation for being one of the best privacy-focused VPNs on the market. Visit Mullvad VPN. Mullvad offers a flat rate of €5 or $5.48 per month, regardless of subscription length. If you're looking ...
1 year ago Techrepublic.com
Over 16,000 Fortinet devices compromised with symlink backdoor - Last week, Fortinet warned customers that they had discovered a new persistence mechanism used by a threat actor to retain read-only remote access to files in the root filesystem of previously compromised but now patched FortiGate devices. As ...
2 months ago Bleepingcomputer.com
Atlas VPN Free vs. Premium: Which Plan Is Best For You? - When VPN providers offer free versions, you may be inclined to stick with that version. Atlas VPN Free is a lifetime-free version of the Atlas VPN service, which allows users to enjoy VPN services in four locations. In comparison, Atlas VPN Premium ...
1 year ago Techrepublic.com
Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks - Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. The advisory says that when the threat ...
2 months ago Bleepingcomputer.com CVE-2022-42475
Cybersecurity Insiders - As the threat landscape rapidly evolves, VPNs cannot provide the secure, segmented access organizations need. The 2023 VPN Risk Report reveals the complexity of today's VPN management, user experience issues, vulnerabilities to diverse cyberattacks, ...
1 year ago Cybersecurity-insiders.com
5 Best VPNs for Travel in 2024 - VPNs are software that encrypt your online activity and adjust your IP address, protecting sensitive company data and allowing you to access geo-restricted content at the same time. In this article, we take a look at the five best VPNs for travelers. ...
1 year ago Techrepublic.com
CISA warns Fortinet zero-day vulnerability under attack - CISA urged users to address two critical Fortinet vulnerabilities in products that are commonly targeted by the Chinese nation-state threat group Volt Typhoon, and one flaw is already being exploited in the wild. Fortinet published two separate ...
1 year ago Techtarget.com CVE-2024-21762 CVE-2024-22024 CVE-2023-27997 CVE-2024-23113 Volt Typhoon
Exploitation activity increasing on Fortinet vulnerability - Exploitation activity appears to be ramping up against a critical Fortinet vulnerability that was disclosed and patched last month. In a security advisory on Feb. 8, Fortinet detailed a zero-day vulnerability in FortiOS, tracked as CVE-2024-21762 or ...
1 year ago Techtarget.com CVE-2024-21762 CVE-2024-27162
Hackers Actively Exploits Patched Fortinet FortiGate Devices to Gain Root Access - To bolster defenses, Fortinet has introduced enhanced security features in recent updates, including compile-time hardening, virtual patching, firmware integrity validation, and automated upgrade tools like Uninterrupted Cluster Upgrade and Automatic ...
2 months ago Cybersecuritynews.com
A look at Fortinet's week to forget The Register - Security researchers have urged users to patch vulnerable VPNs as soon as possible since the vulnerability is understood to be easily exploitable. The only workaround recommended by Fortinet is to disable the SSL VPN. Disabling webmode won't mitigate ...
1 year ago Go.theregister.com CVE-2024-23113 CVE-2024-23108 CVE-2024-23109 CVE-2023-34992
ZTNA over VPN Can Be a Good Place to Start Your Zero Trust Journey - Zero-trust network access has become the leading project for organizations looking to adopt zero-trust principles. Gartner predicts that 60% of organizations will be adopting zero trust by 2025,1 so there are lots of zero-trust projects going on. As ...
1 year ago Feeds.fortinet.com
5 Best VPNs for Android in 2024 - See details VIsit ProtonVPN. see details Visit CyberGhost VPN. As more Android users rely on their smartphones to surf the web, virtual private networks have become essential tools to help secure your mobile connection, no matter where you are. One ...
1 year ago Techrepublic.com
20 Best Remote Monitoring Tools - 2025 - What is Good ?What Could Be Better ?Strong abilities to keep an eye on devices and systems.Some parts may take time to figure out.It gives you tools for remote control and troubleshooting.There could be more ways to change things.Lets you automate ...
2 months ago Cybersecuritynews.com
VPN for Your Phone: Key to Global Email Security While Traveling - You'll need to enter the details of your VPN connection, including the VPN name, type, server address, and any required authentication credentials. One essential way to use a VPN is to protect your email communications. A VPN can be side-loaded for ...
1 year ago Securityboulevard.com
Fortinet Warns of Yet Another Critical RCE Flaw - Fortinet has patched a critical remote code execution vulnerability in its FortiClient Enterprise Management Server for managing endpoint devices. The flaw, identified as CVE-2024-48788, stems from an SQL injection error in a direct-attached storage ...
1 year ago Darkreading.com CVE-2024-48788 CVE-2023-27997 CVE-2022-40684 CVE-2023-34993 CVE-2023-34991 CVE-2023-48782 CVE-2023-42783 Volt Typhoon
Understanding the Complexities of VPNs: Balancing Privacy and Security in the Digital Age - A U.S. traveler in Europe might face restrictions accessing certain paid streaming services available in the U.S., which can be circumvented by a VPN masking the local European IP address, thus granting access to U.S.-based content. While VPNs appear ...
1 year ago Cysecurity.news
New Fortinet RCE bug is actively exploited, CISA confirms - CISA confirmed today that attackers are actively exploiting a critical remote code execution bug patched by Fortinet on Thursday. The flaw is due to an out-of-bounds write weakness in the FortiOS operating system that can let unauthenticated ...
1 year ago Bleepingcomputer.com CVE-2023-34992 Volt Typhoon
17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit - As investigations continue, security experts urge organizations to remain vigilant, ensure all devices are fully patched, and review system configurations for any signs of unauthorized changes or lingering persistence mechanisms. 17,000+ Fortinet ...
2 months ago Cybersecuritynews.com
Fortinet Ends SSL-VPN Support From 7.6.3 Onwards!  - Organizations are strongly advised to identify any SSL VPN deployments, plan transitions to IPsec VPN, and thoroughly test configurations before upgrading to FortiOS 7.6.3 to avoid unexpected disruptions to remote work capabilities. Crucially, ...
2 months ago Cybersecuritynews.com
6 Best Anonymous VPNs for 2024 - VPNs are primarily used to secure online traffic and help users remain anonymous to avoid targeted ads, hide their location or ensure the security and privacy of their personal data. Though many VPN providers may advertise having a no-logs policy, ...
1 year ago Techrepublic.com
Netherlands reveals Chinese spies attacked its defense dept The Register - Dutch authorities are lifting the curtain on an attempted cyberattack last year at its Ministry of Defense, blaming Chinese state-sponsored attackers for the espionage-focused intrusion. Specialists from the Netherlands' Military Intelligence and ...
1 year ago Go.theregister.com CVE-2022-42475
AVG Secure VPN vs Surfshark: Which VPN Is Better? - If you've been checking out competitor AVG Secure VPN and are wondering how it stacks up against Surfshark, I've got you covered in this review. I signed up for both VPNs and compared AVG and Surfshark head-to-head to help you decide which one is the ...
11 months ago Techrepublic.com
Fortinet enhances its OT security solutions and services - Fortinet announced the latest release of new, integrated operational technology security solutions and services. These additions further distance Fortinet's industry-leading OT Security Platform from the rest of the market. The number of industrial ...
1 year ago Helpnetsecurity.com Rocke

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)