| ⓘ We are reaching out to let you know about ongoing attacks targeting Fortinet devices using known vulnerabilities. In some cases, the attackers can remain undetected even after patching. |
Attention constituent:
Fortinet and CISA recently reported active exploitation of several known vulnerabilities in Fortinet devices. These include switches, firewalls, and other related products, many of which are widely used for secure remote access. Attackers are taking advantage of these flaws to break into networks, install persistent backdoors, and avoid detection.
In some cases, even patched systems are still being accessed through leftover configuration changes made during an earlier compromise. One tactic involves creating a hidden shortcut, or symbolic link, in the SSL-VPN language directory that survives firmware updates and provides ongoing access to sensitive data.
Advisory Overview
|
| Advisory Type |
Technical |
| Author |
Marcus Knowles |
| Date |
14 April 2025 |
What’s Happening
|
| Affected Systems |
These issues can affect a range of Fortinet products, especially if they are exposed to the internet or haven’t been updated recently. These products and their relevant vulnerabilities are listed below.
- FortiGate Firewalls (FortiOS 6.0 through 7.2)
CVEs: 2022-42475, 2023-27997, 2024-21762, and 2024-35279
- FortiManager
CVEs: 2022-40684, 2025-24472, and 2024-55591
- FortiAnalyzer
CVEs: 2025-24472 and 2024-55591
- FortiProxy
CVE: 2022-40684
- Other Fortinet devices with known unpatched vulnerabilities
CVEs: 2023-27997 and 2024-35279
|
| What this Means |
Attackers are exploiting known vulnerabilities to:
- create fake or unauthorised admin/VPN accounts;
- install remote access tools like custom reverse shells or web shells;
- change startup scripts to keep access even after reboots; and,
- hide their activity from detection tools.
In one example, a symbolic link was used to quietly read sensitive files, a change that can persist even after firmware updates if not specifically checked for. |
What to Look For
|
| Signs You May Be at Risk |
You may be at risk if:
- your Fortinet devices are running older or unpatched firmware,
- devices are directly exposed to the internet without access controls or firewalls,
- SSL-VPN is enabled and accessible from the internet, or
- you haven’t recently checked startup scripts, user accounts, or file changes.
|
| Signs You May Be Affected |
Signs of compromise may include:
- unknown VPN or admin accounts appearing,
- unfamiliar symbolic links in the SSL-VPN language directory (e.g., linking /data/ to /),
- changes to startup scripts likesystem.pre, startup.sh or unauthorised scheduled tasks,
- unusual outbound connections from Fortinet devices or abnormal CPU/memory usage, and
- logs showing shell access, diagnostic commands, or failed firmware checks.
|
What to Do
|
| Prevention |
To help prevent this vulnerability from impacting your organisation, take the steps outlined below.
- Update all Fortinet devices to the latest available firmware.
- Segment administrative interfaces.
- Enable multi-factor authentication for VPN and admin access.
- Regularly review user accounts and disable unused services (e.g., SSL-VPN if not in use).
|
| Mitigation |
If you believe this vulnerability is already impacting you, take the steps outlined below (not in any particular order).
- Isolate any potentially affected devices from the network.
- Apply all security updates.
- Review configuration of all affected products.
- Monitor and investigate unusual activity in connected environments.
- Reset admin passwords and review access control lists
- Report the issues to CIRT-BS at [email protected].
|
Official Information
|
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity
- https://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities
- https://www.cirt.bs/
|
Should you require additional information or further support, submit a report on our website or contact us at [email protected].
Best,
Marcus Knowles
Security Operations Centre
National Computer Incident Response Team of The Bahamas
|
