More than 14,000 Fortinet firewalls have been compromised globally through critical vulnerabilities in the SSL VPN component of FortiOS. Cyber attackers have embedded themselves in affected systems using symbolic links (symlinks), allowing them to maintain persistent access—even after security patches were applied.
🔓 Exploited Vulnerabilities
Threat actors are exploiting multiple high-severity vulnerabilities:
- CVE-2022-42475 (CVSS 9.3)
- CVE-2023-27997 (CVSS 9.2)
- CVE-2024-21762 (CVSS 9.6)
These vulnerabilities allow unauthenticated remote code execution and enable attackers to create malicious symlinks in the file system, bypassing traditional cleanup methods.
🌍 Global Impact
According to the Shadowserver Foundation, over 14,600 Fortinet devices have been compromised. The highest concentrations are in:
- United States: 1,500+ affected devices
- Germany: 233+ affected devices
Other countries also report significant numbers, indicating a widespread and organized campaign.
🛡️ Fortinet’s Mitigation Measures
Fortinet has released emergency patches in the following firmware versions:
- FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16
These updates automatically remove malicious symlinks and reinforce SSL VPN protections.
✅ Recommendations for IT Admins
- Update FortiOS immediately to the patched versions
- Check for symbolic links in file systems related to FortiOS and VPN
- Disable SSL VPN if not actively in use
- Monitor for Indicators of Compromise (IoCs) provided by Fortinet
- Audit firewall logs and configurations for unusual behavior
This incident highlights the importance of proactive patch management and deep system audits even after updates are applied. The use of symbolic links to maintain persistence is a sophisticated tactic that underscores the evolving threat landscape targeting perimeter security appliances.
