{"id":20500,"date":"2025-04-17T05:09:37","date_gmt":"2025-04-17T03:09:37","guid":{"rendered":"https:\/\/ig.technology\/?p=20500"},"modified":"2025-04-17T05:09:39","modified_gmt":"2025-04-17T03:09:39","slug":"14000-fortinet-firewalls-compromised-attackers-nestle-in","status":"publish","type":"post","link":"https:\/\/ig.technology\/index.php\/2025\/04\/17\/14000-fortinet-firewalls-compromised-attackers-nestle-in\/","title":{"rendered":"14,000 Fortinet firewalls compromised: Attackers nestle in","gt_translate_keys":[{"key":"rendered","format":"text"}]},"content":{"rendered":"\n<p>More than 14,000 Fortinet firewalls have been compromised globally through critical vulnerabilities in the SSL VPN component of FortiOS. Cyber attackers have embedded themselves in affected systems using <strong>symbolic links (symlinks)<\/strong>, allowing them to maintain persistent access\u2014even after security patches were applied.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd13 Exploited Vulnerabilities<\/h3>\n\n\n\n<p>Threat actors are exploiting multiple high-severity vulnerabilities:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CVE-2022-42475<\/strong> (CVSS 9.3)<\/li>\n\n\n\n<li><strong>CVE-2023-27997<\/strong> (CVSS 9.2)<\/li>\n\n\n\n<li><strong>CVE-2024-21762<\/strong> (CVSS 9.6)<\/li>\n<\/ul>\n\n\n\n<p>These vulnerabilities allow <strong>unauthenticated remote code execution<\/strong> and enable attackers to create malicious symlinks in the file system, bypassing traditional cleanup methods.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83c\udf0d Global Impact<\/h3>\n\n\n\n<p>According to the <strong>Shadowserver Foundation<\/strong>, over <strong>14,600 Fortinet devices<\/strong> have been compromised. The highest concentrations are in:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>United States<\/strong>: 1,500+ affected devices<\/li>\n\n\n\n<li><strong>Germany<\/strong>: 233+ affected devices<\/li>\n<\/ul>\n\n\n\n<p>Other countries also report significant numbers, indicating a widespread and organized campaign.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udee1\ufe0f Fortinet\u2019s Mitigation Measures<\/h3>\n\n\n\n<p>Fortinet has released emergency patches in the following firmware versions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16<\/li>\n<\/ul>\n\n\n\n<p>These updates automatically remove malicious symlinks and reinforce SSL VPN protections.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Recommendations for IT Admins<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Update FortiOS immediately<\/strong> to the patched versions<\/li>\n\n\n\n<li><strong>Check for symbolic links<\/strong> in file systems related to FortiOS and VPN<\/li>\n\n\n\n<li><strong>Disable SSL VPN<\/strong> if not actively in use<\/li>\n\n\n\n<li><strong>Monitor for Indicators of Compromise (IoCs)<\/strong> provided by Fortinet<\/li>\n\n\n\n<li><strong>Audit firewall logs and configurations<\/strong> for unusual behavior<\/li>\n<\/ul>\n\n\n\n<p>This incident highlights the importance of proactive patch management and deep system audits even after updates are applied. The use of symbolic links to maintain persistence is a sophisticated tactic that underscores the evolving threat landscape targeting perimeter security appliances.<\/p>\n\n\n\n<a href=\"https:\/\/www.heise.de\/en\/news\/14-000-Fortinet-firewalls-compromised-Attackers-nestle-in-10352509.html\">\n    <button>Read the Original Article<\/button>\n  <\/a>\n","protected":false,"gt_translate_keys":[{"key":"rendered","format":"html"}]},"excerpt":{"rendered":"<p>More than 14,000 Fortinet firewalls have been compromised globally through critical vulnerabilities in the SSL VPN component of FortiOS. Cyber attackers have embedded themselves in affected systems using symbolic links (symlinks), allowing them to maintain persistent access\u2014even after security patches were applied. \ud83d\udd13 Exploited Vulnerabilities Threat actors are exploiting multiple high-severity vulnerabilities: These vulnerabilities allow unauthenticated remote code execution and enable attackers to create malicious symlinks in the file system, bypassing traditional cleanup methods. \ud83c\udf0d Global Impact According to the Shadowserver Foundation, over 14,600 Fortinet devices have been compromised. The highest concentrations are in: Other countries also report significant numbers, indicating a widespread and organized campaign. \ud83d\udee1\ufe0f Fortinet\u2019s Mitigation Measures Fortinet has released emergency patches in the following firmware versions: These updates automatically remove malicious symlinks and reinforce SSL VPN protections. \u2705 Recommendations for IT Admins This incident highlights the importance of proactive patch management and deep system audits even after updates are applied. The use of symbolic links to maintain persistence is a sophisticated tactic that underscores the evolving threat landscape targeting perimeter security appliances. Read the Original Article<\/p>\n","protected":false,"gt_translate_keys":[{"key":"rendered","format":"html"}]},"author":1,"featured_media":20504,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1,19],"tags":[],"class_list":["post-20500","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-cyber-security"],"aioseo_notices":[],"gt_translate_keys":[{"key":"link","format":"url"}],"_links":{"self":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts\/20500","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/comments?post=20500"}],"version-history":[{"count":3,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts\/20500\/revisions"}],"predecessor-version":[{"id":20506,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/posts\/20500\/revisions\/20506"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/media\/20504"}],"wp:attachment":[{"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/media?parent=20500"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/categories?post=20500"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ig.technology\/index.php\/wp-json\/wp\/v2\/tags?post=20500"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}