Here’s something straight out of a cybersecurity thriller: you patch a critical vulnerability, thinking the danger’s been dealt with. But weeks or months later, you find out the attackers never really left. That’s exactly what’s playing out right now with Fortinet’s FortiGate firewalls.
In a recent advisory, Fortinet revealed that attackers who had exploited past vulnerabilities in FortiGate devices found a crafty way to stick around, even after the initial holes were patched. And they weren’t just sitting there doing nothing they had silent, read-only access to sensitive files on compromised devices. Creepy, right?
It Started with Patched Vulnerabilities
Let’s rewind. Hackers initially got in using known bugs specifically CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. These weren’t random. They’re all linked to the SSL-VPN feature in Fortinet’s devices, a common access point for remote users that’s also a juicy target for bad actors.
Fortinet has since patched these vulnerabilities, but it turns out the damage was already done. Before the doors were shut, attackers slipped in and left behind symbolic links basically digital breadcrumbs that point to important files inside the system.
Even though the doors were locked afterward, those breadcrumbs let them peek inside and read sensitive configurations. They couldn’t change anything, but just reading certain files is more than enough to plan a second attack or understand a company’s entire security posture.
Who’s Affected (and Who’s Safe)?
Here’s the silver lining: if you’ve never enabled SSL-VPN on your FortiGate devices, you’re in the clear. But if you have, it’s time to take this seriously.
Fortinet has already alerted affected customers and released updated software to block this kind of silent persistence from happening again. But detecting whether your device was tampered with before the patch? That’s a tougher challenge.
CISA, CERT-FR, and the Growing Concern
This incident isn’t just raising eyebrows at Fortinet. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging IT teams to do the following immediately:
-
Reset exposed credentials
-
Check device configs thoroughly
-
Temporarily disable SSL-VPN if possible until fully patched
Meanwhile, France’s cybersecurity agency (CERT-FR) reported seeing signs of these compromises as far back as early 2023. Translation? This campaign has been active and under the radar for longer than most people realize.
Attackers Are Moving Faster Than Ever
Benjamin Harris, CEO of WatchTower, summed it up best. “Attackers are exploiting vulnerabilities faster than most organizations can patch. And they’re not just sneaking in they’re digging in, leaving behind mechanisms that survive even after a patch, upgrade, or full factory reset.”
If that doesn’t sound like cyberwarfare, what does?
What Fortinet Users Need to Do Right Now
If you use FortiGate devices with SSL-VPN enabled, here’s your checklist:
-
Update to one of these FortiOS versions ASAP: 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16
-
Review all device configs like they’ve been compromised because they might be
-
Reset all credentials and keys used on those devices
-
Temporarily disable SSL-VPN until updates are in place
-
Monitor for unusual read-only access or symlink references
Final Thought: Patching Isn’t Enough Anymore
This situation is a harsh reminder that just installing a security patch doesn’t guarantee safety. Cybercriminals are evolving fast, and their tactics are getting way more sophisticated. These aren’t just opportunists anymore they’re strategic, patient, and disturbingly clever.
As defenders, it’s not just about stopping attacks anymore it’s about hunting for anything that might’ve been left behind. In a world where breaches can go undetected for months, “assume breach” isn’t just a slogan. It’s the new reality.
Discover more from CyberAwareHub
Subscribe to get the latest posts sent to your email.