New SSL-VPN Symlink Exploit Enables Silent FortiGate Compromise

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
FortiGate SSL-VPN Exploits

Fortinet, a leading cybersecurity company, has released an urgent alert revealing that hackers have found a new technique to maintain unauthorized, read-only access to FortiGate devices even after they have been patched for known vulnerabilities.

This exploit involves the use of symbolic links (symlinks) within the SSL-VPN feature that allows the attackers to bypass security defences and give them persistent access to the compromised networks.​

Understanding the Exploit

Let’s understand how the threat actor exploits the FortiGate devices. For a better understanding of this attack and exploit, let’s first understand symlinks and some previous vulnerabilities in FortiGate.

“A symlink is like a shortcut or an alias to another file or folder on your computer, and this allows users and programs to access the target file through a symlink.”

Fortinet has some previously known vulnerabilities, CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. These vulnerabilities allow attackers to run remote code execution and full device takeover without any login credentials.

They release patches for these vulnerabilities, and they claim that everything gets fixed after the user updates to the patch version.

Attackers used a method to maintain unauthorised access to FortiGate devices, even after known vulnerabilities had been patched. They used previously known vulnerabilities to exploit and get the initial access. After that, they create a Symlink in a specific folder used by the SSL-VPN feature of FortiGate, which is used as a backdoor.

Symlink was created in a “safe-looking” location (user space for VPN language files), but it secretly linked to protected config files. Notably, these symlinks remain even after the original vulnerabilities are patched, enabling continued read-only access without detection.

​It is hard to detect because the file is placed in writable directories that are typically less noticed, making the backdoor secret and difficult to detect. FortiGate devices lack endpoint detection agents, as a result makes detecting this backdoor file difficult.

Also Read: Massive Brute Force Attack Uses 2.8 Million IPs to Target VPNs and Firewalls

Targeted Organizations

The vulnerability affects only FortiGate devices that have SSL-VPN activated as a feature. These devices remain unaffected as SSL-VPN features are disabled. Different sectors encompassing organizations that fall under critical infrastructure have reported the activity, thus making this security issue more significant.

Impact

The impact of this exploit is that the attacker has backdoor access to the device and views information such as credentials, network topology details, and security policies. The access is read-only, and the information obtained can be used for further attacks.

Indicators of Compromise (IOCs)

The main sign of intrusion consists of unauthorized symlinks detected within directories linked to SSL-VPN language files. User filesystem access to root filesystem configuration files becomes possible through these symlinks which provide unauthorized links between filesystems.

Recommendations for Users

Fortinet advises all customers to:

  • Fortinet quickly rolled out new antivirus and intrusion prevention system (IPS) signatures. These are designed to detect the malicious symlinks left behind by attackers and remove them from impacted FortiGate devices.
  • Change all potentially exposed credentials and reset secrets.​

Conclusion

Cyber threats continue to evolve at an unprecedented speed, and the new FortiGate symlink exploit proves that even systems with applied patches remain vulnerable.

Attackers demonstrate increased skill level and determination through the deployment of symbolic links, which enable them to bypass security measures while remaining undetected.

You should not rely on FortiGate device patches alone when SSL-VPN features are active in your network. Initiate protective measures through system audits followed by IOC tracking and monitoring of unobtrusive signs that indicate compromise incidents.

The size of cyberattacks is escalating instead of letting up. The absence of ongoing defences against cyberattacks will make your business the next victim of a successful breach.

Our qualified experts serve clients through specialized SiteLock Security Services, including advanced threat detection, incident response, and patch management. Secure your network before unusual delays!

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.