Post

Fortinet's Critical Warning: Symbolic Link Trick Bypasses FortiGate Patches

Posted
By Vitus White
2 min read
Fortinet's Critical Warning: Symbolic Link Trick Bypasses FortiGate Patches

TL;DR

Fortinet has issued a warning that attackers can retain read-only access to FortiGate devices even after vulnerabilities are patched, using a symbolic link trick. This persistent access is achieved through SSL-VPN language folders and affects devices with SSL-VPN enabled. Mitigations include updating to specific FortiOS versions and reviewing device configurations.

Fortinet’s Warning on Persistent Access to FortiGate Devices

Fortinet has issued a critical warning that threat actors can maintain read-only access to FortiGate devices even after the original vulnerabilities have been patched. This persistent access is achieved through a symbolic link trick that exploits known flaws in FortiGate devices.

Exploitation of Known Vulnerabilities

Attackers have been exploiting known vulnerabilities such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 to gain access. By creating a symbolic link in SSL-VPN language folders, they connect the user filesystem to the root filesystem, allowing persistent read-only access.

“A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection.” 1

Impact and Mitigation

Fortinet has confirmed that only devices with SSL-VPN enabled are affected. The attacks are not limited to any specific region or industry. To mitigate this threat, Fortinet has deployed AV/IPS signatures and updated releases to block the symbolic link. They have also urged customers to patch their devices and maintain transparency.

FortiOS Mitigations

Fortinet has released the following mitigations:

  • FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16: The SSL-VPN UI has been modified to prevent serving malicious symbolic links.
  • FortiOS 7.4, 7.2, 7.0, 6.4: The symbolic link is flagged as malicious by the AV/IPS engine and automatically removed if the engine is licensed and enabled.
  • Upgrading to the latest releases: This will remove the malicious symbolic link.

Recommendations for Impacted Customers

Fortinet has notified impacted customers and provided the following recommendations:

  • Treat all configurations as potentially compromised.
  • Upgrade all devices to the latest FortiOS versions.
  • Review the configuration of all devices.

Conclusion

Fortinet’s warning highlights the critical need for vigilance and prompt updates to mitigate persistent threats. By following the recommended mitigations and staying informed, organizations can protect their FortiGate devices from potential breaches.

References

For more details, visit the full article: source

Additional Resources

For further insights, check:

  1. Fortinet (2025). “Analysis of Threat Actor Activity”. Fortinet Blog. Retrieved 2025-04-12. ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity threat intelligence fortigate
This post is licensed under CC BY 4.0 by the author.