Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks

Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. Earlier this week, Fortinet began sending emails to customers warning that their FortiGate/FortiOS devices were compromised based on telemetry received from FortiGuard devices. These emails were titled "Notification of device compromise - FortiGate / FortiOS - ** Urgent action required **," given a TLP:AMBER+STRICT designation. "This issue is not related to any new vulnerability. This file was left behind by a threat actor following exploitation of previous known vulnerabilities," the emails said, including but not limited to CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. After BleepingComputer contacted Fortinet with questions about these emails, the company released an advisory on Thursday warning about this new exploitation technique. The advisory says that when the th ... Read full article.