Skip to main content
close search
site logo
Dive Brief

Fortinet warns of threat activity against older vulnerabilities

Researchers discovered a technique that allows threat actors to maintain read-only access to vulnerable FortiGate devices after they are patched.

Published April 11, 2025
By
Contributing Reporter
The red lock and its structure explode in a digital computer setting.
TU IS via Getty Images

Dive Brief:

  • Fortinet detailed new exploitation activity against known critical vulnerabilities in FortiGate devices, including CVE-2022-42475CVE-2023-27997 and CVE-2024-21762, in a Thursday blog post..

  • Fortinet said that although these vulnerabilities have been patched, a threat actor was observed using a new technique to maintain read-only access to vulnerable FortiGate devices after they were updated.

  • Fortinet vulnerabilities have been heavily targeted by a range of attackers in recent years as both cybercriminals and nation-state threat groups shifted focus to edge devices as initial access vectors.

Dive Insight:

Fortinet CISO Carl Windsor warned that a recent investigation into active exploitation of the older CVEs revealed that a threat actor was using a novel technique that allowed them to read files and data on Fortinet devices that were patched. This was achieved by creating a "symbolic link" between the user file systems and the root file systems via a folder that serves language files for SSL-VPNs.

"This modification took place in the user filesystem and avoided detection," Windsor wrote in the blog post. "Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device's file system, which may include configurations."

The Cybersecurity and Infrastructure Security Agency on Friday issued a security alert regarding the exploitation activity and encouraged organizations to implement mitigations.

Telemetry based on Fortinet scans and input from third-party organizations showed the exploitation activity was not focused on a specific region or industry, Windsor said.

Fortinet released several mitigations to address the new technique. In FortiOS versions 7.4, 7.2, 7.0 and 6.4, the operating system's antivirus and intrusion prevention system engine automatically detects and removes the symbolic link. The network security vendor urged customers to upgrade all devices to versions 7.6.2, 7.4.7, 7.2.11 and 7.0.17 or 6.4.16, which remove existing symbolic links in Fortinet devices and prevent other malicious symbolic links from being served in the future.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
360 Privacy Announces Strategic Executive Appointments Following $36 Million Growth Investment
From 360 Privacy
March 31, 2025
Lafayette Federal Credit Union Data Breach Investigation
From Migliaccio & Rathod LLP
March 24, 2025
As Attacks Grow on Critical Infrastructure, New RunSafe Tool Scores Hidden Threats in Embedded…
From RunSafe Security
April 07, 2025
98% of Brands Targeted by Cyber Attacks in 2024 – BrandShield CyberScam Report Reveals Rising …
From BrandShield
April 02, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.