Over 14,000 Fortinet devices worldwide have been compromised through the exploitation of known vulnerabilities and a novel symlink-based persistence mechanism, potentially exposing sensitive data.
The Shadowserver Foundation reported that a threat actor exploited older critical vulnerabilities, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, to gain access to FortiGate devices. Fortinet warned that customer organizations that patched these older vulnerabilities may still be compromised, as the symlink modifications evaded the vendor’s detections and persisted after updates. A symlink, or a symbolic link, is essentially a shortcut to a file that provides attackers access to files on the compromised device.
Shadowserver’s latest scans showed nearly 7,000 compromised Fortinet devices in Asia, with approximately 3,500 and 2,600 in Europe and North America, respectively. The countries with the most compromised devices are the U.S., Japan, Taiwan, and China. According to Fortinet’s CISO Carl Windsor, the symlink mechanism was implanted in devices’ user filesystems and provides read-only access to files, which “may include device configurations.” The network security vendor noted that customers that never enabled SSL-VPNs are not affected by the threat activity.
New Zealand’s Computer Emergency Response Team (CERT NZ) warned of widespread exploitation of Fortinet vulnerabilities dating back to 2023. CERT-NZ also warned that the symlink mechanism may have given the threat actor access to highly sensitive data on Fortinet devices. “The compromise may have allowed the actor to access sensitive files from compromised devices including credentials and key material,” the CERT-NZ advisory said.
France’s Computer Emergency Response Team (CERT-FR) reported large-scale attacks utilizing the post-exploitation technique in the country. “CERT-FR is aware of a massive campaign involving numerous compromised devices in France. During incident response operations, CERT-FR has learned of compromises occurring since early 2023,” the agency said in its advisory. Fortinet communicated directly with customers that were affected by the threat activity and released updates and mitigations that can detect and remove the symlink from devices’ filesystems and prevent them from being redeployed.
CERT-FR emphasized that applying updates and removing the malicious symlink are “not sufficient in the event of a compromise.” The agency urged such customers to isolate compromised devices from their networks and perform a “data freeze” to investigate the malicious activity; reset all secrets on affected devices, such as passwords and certificates; and reset all authentication secrets that may have been transmitted through the compromised devices.
