Fortinet has discovered that a hacker group is using an advanced method to keep access to FortiGate devices—even after known security flaws were patched.
In a recent investigation, Fortinet revealed that attackers are taking advantage of previously identified vulnerabilities (FG-IR-22-398, FG-IR-23-097, and FG-IR-24-015) to break in and stick around. The discovery highlights the danger of unpatched systems and reinforces Fortinet’s push for transparency and fast action.
- CVE-2022-42475: Tied to FG-IR-22-398, used in the attack.
- CVE-2023-27997: Tied to FG-IR-23-097, used in the attack.
- CVE-2024-21762: Not explicitly confirmed, possible link to FG-IR-24-015 but uncertain.
Hackers Use Sneaky New Trick to Bypass Fortinet Patches and Stay Hidden
Fortinet has uncovered a clever new tactic used by hackers to keep access to FortiGate devices—even after security patches were applied. The attackers created a symbolic link between user and root file systems in a folder meant for SSL-VPN language files. This gave them read-only access to sensitive device data, including configurations, without triggering alarms.
Worse, this malicious link could survive software updates, keeping systems exposed even after fixes were applied.
Fortinet’s investigation—backed by internal monitoring and outside partners—confirmed that this attack is widespread and not limited to any single industry or region. However, devices that never enabled SSL-VPN are not affected.
Once the method was identified, Fortinet’s Product Security Incident Response Team (PSIRT) jumped into action, releasing several key defenses:
- Antivirus and IPS signatures to detect and remove the symbolic link
- Updates to FortiOS (versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16) to block the exploit
- Direct alerts to affected customers, urging immediate upgrades and security checks
Fortinet is urging all customers—whether affected or not—to update to the latest versions and follow recovery guidelines in their community resources.
According to Fortinet’s latest Global Threat Landscape Report, threat actors typically exploit known flaws within just 4.76 days of public disclosure—making fast patching more critical than ever.
“This attack shows how quickly threat actors evolve,” said Fortinet spokesperson Carl Windsor. “We’re staying ahead by offering proactive protection and clear communication.”
Recent Fortinet updates also include extra security features like compile-time hardening, firmware integrity checks, and automated upgrade tools to help customers stay secure with less manual work.
Meanwhile, WatchTowr’s founder reported spotting backdoor deployments across multiple clients, including critical infrastructure providers—underscoring how serious this exploit is. He called on the industry to rethink its approach to handling major vulnerabilities.
Fortinet’s message is loud and clear: Stay alert, stay updated, and take this threat seriously.
CISA Backs Fortinet’s Fixes—Here’s What Admins Should Do
In an April 11 advisory, CISA echoed Fortinet’s warning and urged IT teams to take immediate action:
- Update FortiOS to versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 to remove the malicious file and block future attacks.
- Check your configurations and reset any passwords or credentials that might’ve been exposed.
- Temporarily disable SSL-VPN as a safety measure until patches are fully applied.
Bottom line: Act fast to lock down your systems and prevent repeat breaches.