Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices

In an urgent alert to the cybersecurity community, Fortinet has detailed an active threat campaign exploiting known vulnerabilities in FortiGate appliances, highlighting a novel post-exploitation technique that enables unauthorized read-only access even after security updates are applied.

“Recent incidents continue to bring this into focus with active exploitations of known vulnerabilities,” wrote CISO Carl Windsor.

Fortinet’s investigation revealed that attackers leveraged a set of known CVEs:

• CVE-2022-42475
• CVE-2023-27997
• CVE-2024-21762

While these vulnerabilities had previously been disclosed and patched, the new persistence technique allowed attackers to retain read-only access to the file system—even on devices that had been updated.

The attacker exploited the SSL-VPN feature by creating a symbolic link between the user filesystem and the root filesystem, embedding it within a folder used to serve language files. This symbolic link survived across firmware upgrades and allowed the attacker to passively access files such as configurations on the device.

“This modification took place in the user filesystem and avoided detection… allowing the threat actor to maintain read-only access,” the report explains.

Notably, customers who never enabled SSL-VPN are not impacted by this particular technique.

Fortinet notes that this campaign was not isolated to a specific region or vertical—suggesting the attackers pursued opportunistic mass exploitation of outdated FortiGate devices across global infrastructures.

“The data indicates that this threat actor activity was not targeted to a specific region or industry,” the report warned.

Upon discovery, Fortinet activated its Product Security Incident Response Team (PSIRT), issued direct customer notifications, and developed AV/IPS signatures and firmware updates to detect and remove the malicious symbolic links.

Mitigations include:

• AV/IPS detection and cleaning
• Firmware updates across FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16
• SSL-VPN interface updates to prevent malicious file serving

Fortinet has also advised customers to review all configurations and treat them as potentially compromised. The company provides step-by-step recovery guidance to aid in this process.

Related Posts:

• Akamai Unveils New VPN Post-Exploitation Techniques: Major Vulnerabilities Discovered in Ivanti and FortiGate VPNs
• Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces
• 15,000 FortiGate Firewalls Exposed: Massive Leak Includes VPN Credentials
• ESET Security Products for Windows Vulnerable to Privilege Escalation Attack

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts