Already patched Fortinet FortiGate devices impacted by the CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, continued to provide read-only access to threat actors who established a symbolic link between the user file system and root file system in a file containing the SSL-VPN's language files, reports The Hacker News.
With the failed detection of alterations within the user file system ensuring the persistence of the symlink following the remediation of the flaws leveraged for initial access, attackers were able to continue accessing configurations and other files within the targeted device's system, according to Fortinet, which called on users of the impacted FortiGate devices to immediately apply updated FortiOS versions and conduct device configuration assessments. Similar advice has been given by the Cybersecurity and Infrastructure Security Agency. Additional details regarding the intrusions were not provided but France's Computer Emergency Response Team reported the technique to have been exploited since early 2023. Moreover, watchTowr CEO Benjamin Harris said that the technique has already been leveraged to compromise critical infrastructure entities.
With the failed detection of alterations within the user file system ensuring the persistence of the symlink following the remediation of the flaws leveraged for initial access, attackers were able to continue accessing configurations and other files within the targeted device's system, according to Fortinet, which called on users of the impacted FortiGate devices to immediately apply updated FortiOS versions and conduct device configuration assessments. Similar advice has been given by the Cybersecurity and Infrastructure Security Agency. Additional details regarding the intrusions were not provided but France's Computer Emergency Response Team reported the technique to have been exploited since early 2023. Moreover, watchTowr CEO Benjamin Harris said that the technique has already been leveraged to compromise critical infrastructure entities.
