Fortinet disclosed that threat actors have established persistent read-only access to vulnerable FortiGate devices by leveraging previously patched vulnerabilities such as CVE-2022-42475. Utilizing a symlink to connect the user and root file systems, attackers bypassed detection, ensuring that even after the original security flaws were mitigated, they retained access to device files, including configurations. While the specific perpetrators remain unidentified, Fortinet informed affected customers and has released critical updates across various FortiOS versions to address the issue by flagging and removing malicious symlinks. Customers are urged to update their systems promptly.
A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN.
Fortinet said the modifications took place in the user file system and managed to evade detection, causing the symbolic link (aka symlink) to be left behind even after the security holes responsible for the initial access were plugged.
It's not clear who is behind the activity, but Fortinet said its investigation indicated that it was not aimed at any specific region or industry. It also said it directly notified customers who were affected by the issue.
As further mitigations to prevent such problems from happening again, a series of software updates to FortiOS have been rolled out.
Collection
[
|
...
]