Summary: Threat actors have discovered a method to retain read-only access to compromised FortiGate devices, even after vulnerabilities have been patched. This was achieved by creating a malicious symbolic link that evades detection and maintains access to device configurations. Fortinet has released software updates to address the issue and urges affected customers to apply these patches and review device configurations.
Affected: Fortinet FortiGate devices
Keypoints :
- Threat actors exploited known vulnerabilities, including CVE-2022-42475 and CVE-2023-27997, to create a persistent read-only access point.
- Malicious symbolic links were created, allowing access to sensitive configurations without detection.
- Fortinet released several updates to FortiOS to flag and remove these links and prevent further exploitation.
- Customers are advised to update their systems and reevaluate device configurations as potentially compromised.
- CISA and CERT-FR have issued advisories encouraging credential resets and potential SSL-VPN disconnection until patches are applied.
Source: https://thehackernews.com/2025/04/fortinet-warns-attackers-retain.html
Views: 7