TechHorizon Consulting

Symlink Exploit Enables Continued Access to Patched FortiGate Devices

EJ

Apr 15, 2025By Eli Junco

Cybersecurity defenses are only as strong as the measures that keep attackers at bay—even after patches are applied. In a concerning development, Fortinet has warned customers that threat actors are retaining read-only access to compromised FortiGate VPN devices via a symlink-based post-exploitation technique, even after the initial vulnerabilities have been patched.

What’s Happening?


Earlier this week, Fortinet began sending urgent emails to its customers under the title “Notification of device compromise - FortiGate / FortiOS - Urgent action required.” These emails, designated as TLP:AMBER+STRICT, alerted customers that their FortiGate/FortiOS devices might still be compromised. According to these alerts, the issue is not due to any new vulnerability; rather, it stems from remnants left behind by threat actors after exploiting well-known vulnerabilities such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762.

Internet Security

The Exploit in Detail


When threat actors initially exploited vulnerable FortiGate devices using known flaws, they created symbolic links (symlinks) in the language files folder. These symlinks connected the user file system to the root file system on devices that have SSL-VPN enabled. As a result, even after the affected devices have been updated with patched FortiOS versions, the symlinks may remain. This persistence mechanism enables attackers to maintain read-only access to critical files—including device configurations—via the publicly accessible SSL-VPN web panel without being detected.

Fortinet explained:

"A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection."


Ongoing Threat and Broader Impact


According to the Computer Emergency Response Team of France (CERT-FR), this post-exploitation technique has been used in a massive campaign in France dating back to early 2023. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged network defenders to report any incidents or anomalous activity related to Fortinet's advisory to their 24/7 Operations Center.

The persistence of these symlinks is especially alarming because it means that even after immediate vulnerabilities are patched, attackers can continue to access and potentially exploit system configurations. WatchTowr CEO Benjamin Harris warned, “In the wild exploitation is becoming significantly faster than organizations can patch... Attackers deploy capabilities designed to survive the patching, upgrade, and factory reset processes.”

Cyber Attack A06

Mitigation Steps and Recommendations


To reduce the risk posed by these lingering symlinks, Fortinet advises customers to immediately upgrade their FortiGate/FortiOS devices to one of the latest patched versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16). In addition, administrators should:

  • Review Device Configurations: Immediately check for unexpected changes in configurations that might indicate a persistent compromise.
  • Reset Exposed Credentials: Focus on resetting any credentials, certificates, identity tokens, and cryptographic keys that might have been exposed.
  • Isolate Compromised Devices: Consider isolating affected devices from the network to prevent lateral movement.
  • Report Incidents: Follow CISA’s guidance by reporting any suspicious activity to their Operations Center.


Final Thoughts


The stealthy nature of this exploit underscores an important lesson: even after applying patches, residual artifacts from previous breaches can leave organizations vulnerable. These findings reinforce the need for continuous monitoring and proactive remediation efforts.

At TechHorizon Consulting, we understand that evolving cyber threats require a comprehensive and proactive security strategy. We specialize in securing networks, fortifying access controls, and performing detailed configuration reviews to help ensure your infrastructure remains secure.

Contact TechHorizon Consulting today to assess your security posture and implement advanced protection strategies against emerging cyber threats.