Fortinet Releases Security Updates for FortiOS and FortiGate

Fortinet has patched a novel persistence technique used by an attacker to maintain read-only access to FortiGate devices after exploiting historical vulnerabilities

Threat ID:: CC-4643
Threat Severity:: Medium
Published:: 11 April 2025 12:06 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Fortinet has patched a novel persistence technique used by an attacker to maintain read-only access to FortiGate devices after exploiting historical vulnerabilities

Affected platforms

The following platforms are known to be affected:

Fortinet FortiOS

all prior to 6.4.16
all prior to 7.0.17
all prior to 7.2.11
all prior to 7.4.7
all prior to 7.6.2

Fortinet FortiGate

all prior to 6.4.16
all prior to 7.0.17
all prior to 7.2.11
all prior to 7.4.7
all prior to 7.6.2

Threat details

SSL-VPN vulnerabilities often targeted by attackers

VPN appliances are often internet-facing by design and frequent targets for exploitation by cyber threat groups. Fortinet's disclosure highlights ongoing interest in VPN appliances from attackers and the innovative methods used to maintain access once compromised.

The NHS England National CSOC strongly encourages organisations to review their external-facing assets and to ensure these are regularly patched and securely configured.

Introduction

Fortinet has released security updates for FortiOS to mitigate novel post-exploitation activity observed against FortiGate devices. The disclosure details a new persistence technique used by an attacker, in conjunction with known vulnerabilities, to maintain read-only access to FortiGate devices through the use of symbolic links even after the initial access vector has been remediated.

Post-exploitation activity details

Fortinet has stated that an attacker used a known vulnerability to compromise a FortiGate device and implement read-only access to the file system using a symbolic link between the user and root filesystems. If the vulnerable device was updated to remediate the original vulnerability, the symbolic link may not have been removed which could allow the attacker continued read-only access to the filesystem, including configuration files.

Remediation advice

Affected organisations are encouraged to review Fortinet's Analysis of Threat Actor Activity blog post and complete any applicable mitigation actions.

Remediation steps

Type	Step
Patch	Upgrade all devices to FortiOS version 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16. https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity
Action	Review the configuration of all devices. https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity
Action	Treat all configuration as potentially compromised and follow the recommended steps below to recover: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-steps-to-execute-in-case-of-a/ta-p/230694

Definitive source of threat updates

https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity

Last edited: 11 April 2025 12:06 pm