Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Symbolic Link trick lets attackers bypass FortiGate patches, Fortinet warns

Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched. Fortinet warns that threat actors can retain read-only access to FortiGate devices even after the original vulnerability used for the breach has been patched. The cybersecurity firm revealed that attackers exploited known FortiGate flaws like CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 to […]

fortinet FortiBleed

Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.

Fortinet warns that threat actors can retain read-only access to FortiGate devices even after the original vulnerability used for the breach has been patched.

The cybersecurity firm revealed that attackers exploited known FortiGate flaws like CVE-2022-42475CVE-2023-27997, and CVE-2024-21762 to gain persistent read-only access via a symlink in SSL-VPN language folders.

“A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection.” reads the advisory published by Fortinet. “Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations.”

Fortinet pointed out that only devices with SSL-VPN enabled are impacted. The company added that scans show the attacks weren’t limited to any specific region or industry.

Fortinet mitigated the attack by deploying AV/IPS signatures, updating releases to block the symbolic link, and urging customers to patch devices while maintaining transparency.

The company did not link the attacks to a certain threat actor, however, the investigation is still ongoing.

Below are the FortiOS mitigations released by the company:

  • FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: The SSL-VPN UI has been modified to prevent the serving of such malicious symbolic links.
  • FortiOS 7.4, 7.2, 7.0, 6.4: The symbolic link was flagged as malicious by the AV/IPS engine so that it would be automatically removed if the engine was licensed and enabled.
  • FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: Upgrading to this release will remove the malicious symbolic link.

The cybersecurity vendor notified impacted customers and provided the following mitigations:

  • Treat all configuration as potentially compromised and follow the recommended steps below to recover:
  • Upgrade all devices to 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16.
  • Review the configuration of all devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiOS)