Fortinet has issued a new security warning. Hackers still have access to patched FortiGate VPN devices. They use a hidden method that bypasses traditional detection.
Compromise Notification Sent to Customers
The company alerted affected customers via email. The message was titled: “Notification of device compromise – FortiGate / FortiOS – Urgent action required.”
This notification carried a TLP:AMBER+STRICT label, showing high-risk urgency.
No New Exploits, But Persistence Remains
This issue is not due to a new vulnerability. Instead, attackers left behind symbolic links during earlier breaches. These links provide read-only access through the SSL-VPN web interface.
Attackers Exploited Known CVEs
The hackers used old vulnerabilities such as:
-
CVE-2022-42475
-
CVE-2023-27997
-
CVE-2024-21762
They gained access and planted symbolic links in the folder that serves language files. This technique created persistent access without triggering alerts.
Security Patches May Not Fully Remove Risk
Even after customers updated FortiOS, the symbolic links remained. This lets threat actors access the root filesystem and configuration files.
Fortinet urged customers to upgrade to the latest firmware versions:
-
7.6.2
-
7.4.7
-
7.2.11
-
7.0.17
-
6.4.16
Security Teams Urged to Act Immediately
Admins should inspect their systems for suspicious changes. Fortinet recommends reviewing configuration files and resetting compromised credentials. A support document offers detailed cleanup instructions.
CERT-FR Confirms Widespread, Ongoing Campaign
CERT-FR, part of France’s national cybersecurity agency, confirmed the attacks began in early 2023. It observed widespread compromise across French networks. Attackers may have moved laterally after breaching VPN devices. The U.S. CISA advised all defenders to report suspicious activity. Contact them at Report@cisa.gov or call (888) 282-0870 for support.
VPN Group Recommends Strong Forensic Checks
At VPN Group, we advise a full review of patched systems. Even fixed devices may hide backdoors. Security teams must isolate affected VPNs, reset credentials, and scan for network movement.
