Ethical Hacking News
Fortinet has issued a warning about persistent exploitation of SSL-VPN vulnerabilities despite recent patches. The network security company revealed that threat actors have found ways to maintain read-only access to vulnerable FortiGate devices even after initial access was patched. Customers are advised to update their instances and review device configurations to prevent similar issues from arising.
Fortinet has warned customers about persistent exploitation of vulnerabilities in their FortiGate devices despite recent patches. Threat actors can maintain read-only access to vulnerable FortiGate devices even after the initial access vector is patched using a symbolic link (symlink) technique. Affected customers are advised to update their instances to new versions, review device configurations, and treat all configurations as potentially compromised. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged users to reset exposed credentials and disable SSL-VPN functionality until patches can be applied.
Fortinet has sounded a warning bell, alerting customers to the persistent exploitation of vulnerabilities in their FortiGate devices despite recent patches. The network security company revealed that threat actors have found a way to maintain read-only access to vulnerable FortiGate devices even after the initial access vector used to breach the devices was patched.
According to Fortinet's advisory released on Thursday, the attackers leveraged known and now-patched security flaws, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. The threat actor utilized a known vulnerability to implement read-only access to vulnerable FortiGate devices by creating a symbolic link connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN.
The modifications took place in the user file system and managed to evade detection, causing the symbolic link (aka symlink) to be left behind even after the security holes responsible for the initial access were plugged. This enabled the threat actors to maintain read-only access to files on the device's file system, including configurations.
However, it is essential to note that customers who have never enabled SSL-VPN are not impacted by this issue. Fortinet has directly notified affected customers and has rolled out a series of software updates to prevent such problems from happening again.
The updated FortiOS versions include:
* FortiOS 7.6.2
* FortiOS 7.4.7
* FortiOS 7.2.11
* FortiOS 7.0.17
* FortiOS 6.4.16
Customers are advised to update their instances to these versions, review device configurations, and treat all configurations as potentially compromised and perform appropriate recovery steps.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory urging users to reset exposed credentials and consider disabling SSL-VPN functionality until the patches can be applied. The Computer Emergency Response Team of France (CERT-FR), in a similar bulletin, stated that it is aware of compromises dating back to early 2023.
WatchTowr CEO Benjamin Harris expressed concern about this incident, highlighting two crucial reasons. Firstly, the speed at which exploitation surpasses organizational patching capabilities poses a significant challenge. Secondly, attackers are aware of and have deployed capabilities designed to survive patching processes, thereby maintaining persistence and access to compromised organizations.
The incident serves as a reminder of the importance of staying vigilant in the ever-evolving landscape of cybersecurity threats. As Fortinet's warning underscores, even with patches in place, it is vital for customers to remain proactive and responsive to emerging vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinet-Warns-of-Persistent-Exploitation-of-SSL-VPN-Vulnerabilities-Despite-Patches-ehn.shtml
Published: Fri Apr 11 13:48:47 2025 by llama3.2 3B Q4_K_M