Hackers exploit Fortinet flaws to plant stealth backdoors on FortiGate devices, maintaining access even after patches. Update to secure versions now.
Cybersecurity researchers at Fortinet have recently alerted customers about a new method used by cyber attackers to maintain access to FortiGate devices. The attackers exploited known vulnerabilities, such as FG-IR-22-398, FG-IR-23-097, and FG-IR-24-015, to gain entry and then left behind a backdoor for continued, read-only access even after systems were patched.
The method begins with attackers taking advantage of vulnerabilities that many devices had not yet fixed. Once inside, they created a symbolic link that connects the user filesystem to the root filesystem within a folder used to serve language files on the SSL-VPN. This clever modification allows them to read configuration files quietly without triggering standard detection. Importantly, if your device never had SSL-VPN enabled, this issue does not affect you.
To block the threat actor from further attacks, Fortinet has released several updates along with new security measures, including:
- Launched an internal investigation and coordinated with third-party experts.
- Developed an AV/IPS signature to detect and remove the symbolic link automatically.
- Issued multiple updates across different FortiOS versions (including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16) that not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences.
The full list of the company’s security measures is available here.
Why is This Important?
Benjamin Harris, CEO of watchTowr, emphasized the seriousness of the situation, stating that while Fortinet is responding appropriately, this incident underscores a worrying industry trend: “Attackers are demonstrably and deeply aware that patching takes time, and they’re designing backdoors to survive even updates and factory resets.”
This highlights a shift in attacker tactics – they’re not just exploiting vulnerabilities; they’re actively planning for persistence, making it harder to fully recover from a breach.
Nevertheless, while Fortinet has released mitigations, it’s important to upgrade your FortiGate devices to one of the recommended versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16) as soon as possible.
This incident is just another evidence of the ongoing race between threat actors and cybersecurity teams. Although Fortinet was quick to react, users/customers worldwide are reminded to keep pace with updates and review their security measures regularly.
