Fortinet faced a series of dangerous exploitation techniques even when the initial hole was patched

Overview

In April 2025, Fortinet warned that hackers were using post-exploitation techniques to maintain read-only access to compromised FortiGate devices, even after the initial vulnerabilities had been patched. The initial attack method was noted to involve creating symbolic links (symlinks) in the SSL-VPN file system.

According to Fortinet, the attackers exploited known and previously patched security vulnerabilities, including the vulnerability chain CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. By exploiting these flaws, they created a symlink linking the user file system to the root file system in the language serving directory for SSL-VPN.

Main Impact

• Data leakage: Attackers can access system configurations, certificates, user information, and even access logs. Although they have "read-only" access, it's still enough to exploit sensitive information.

• Maintain backdoor: Malicious symlinks can be used as a "lightweight backdoor," allowing hackers to maintain a long-term presence without easy detection.

• Hard to detect: Since the symlink links exploit existing system functions (SSL-VPN language files), traditional security tools may miss unusual signs.

Affected Version

Vulnerability Information

1. CVE-2022-42475

   • CVE ID: CVE-2022-42475

   • Vulnerability Type: Heap-based buffer overflow

   • Severity Level: 9.3/10 according to CVSS v3

   • Impact: Remote code execution (RCE) without authentication

   • Affected Component: sslvpnd – the daemon handling SSL-VPN on FortiOS

2. CVE-2023-27997

   • CVE ID: CVE-2023-27997

   • Vulnerability Type: Heap-based buffer overflow

   • Severity Level: 9.2/10 according to CVSS v3

   • Impact: Remote code execution (RCE) without authentication

   • Affected Component: SSL-VPN in FortiOS and FortiProxy

3. CVE-2024-21762

   • CVE ID: CVE-2024-21762
     Vulnerability Type: Out-of-Bounds Write

   • Severity Level: 9.6/10 according to CVSS v3

   • Affected Component: sslvpnd – the daemon handling SSL VPN in FortiOS

Campaign Details

Purpose of Symlink attack when executed by attackers:

• Point to a backdoor or custom payload

• Hide in valid directories (/data/var/forticlient/ or /var/webssl/)

• When SSL-VPN loads the language file, it will unintentionally execute the file pointed to by the symlink

Initially, attackers will exploit the CVE-2022-42475 vulnerability to create symbolic links (symlinks) in the directory containing the language files of SSL-VPN to:

• Maintain access to the FortiGate device even after the vulnerability has been patched.

• Illegally retrieve internal data, such as configurations, passwords, and system information.

• Conceal their presence, making it difficult for administrators to detect.

In the recorded campaign, hackers will create a symlink to replace the language file. When users access the VPN and select “Vietnamese“, immediately

After creating a hidden symlink to maintain a backdoor, hackers will continue to exploit two vulnerabilities, CVE-2023-27997 and CVE-2024-21762, to overwrite memory (Heap Overflow). The payload in the packet is designed to overwrite memory areas containing function pointers or sensitive data in the heap. When FortiOS processes the packet, the program is forced to execute unwanted code.

Finally, after successfully exploiting the vulnerabilities, hackers can insert malicious code (shellcode) into memory and force the device to execute it, thereby gaining remote control of the FortiGate system. Additionally, hackers can download a backdoor (for example, BOLDMOVE, as with previous CVEs) and establish a connection to a C2 (Command & Control) server.

Recommendation

1. Update FortiOS firmware immediately

   • Update to the latest patched version corresponding to your FortiOS line:

     • 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16

   • These updates:

     • Remove any malicious symbolic links if present.

     • Fix the SSL-VPN interface to prevent symlink use in the future.

2. Consider resetting credentials

   • If you suspect the system has been compromised:

     • Reset the administrator password.

     • Reset SSL-VPN user credentials.

     • Check and replace the certificate if unauthorized access is suspected.

3. Temporarily disable SSL-VPN (if necessary)

   • If you cannot update immediately, you can temporarily disable the SSL-VPN service to prevent hackers from continuing to access through symlinks.

Conclusion

The attack targeting FortiGate SSL-VPN this time is a clear example of the dangers of maintaining long-term access after exploitation (persistence). Organizations not only need to update their software but also conduct a comprehensive system check after each patch.

Fortinet has now updated tools and documentation to help check for compromised devices. If you are a system administrator operating FortiGate, this is a time when one cannot be complacent.

References

1. Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks

2. Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit