Fortinet Releases Advisory
Security
April 14, 2025
Fortinet is aware of a technique employed by cyber threat actors to maintain read-only access to vulnerable FortiGate devices by creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. Even if the associated FortiOS device was running a version that patched the original vulnerability, the threat actor could maintain read-only access to the system via this symbolic link. Customers who never had SSL-VPN enabled are not impacted.
- Upgrade to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16 to remove the malicious file and prevent re-compromise.
- Review the configuration of all in-scope devices.
- Reset potentially exposed credentials.
- As a work-around mitigation until the patch is applied, consider disabling SSL-VPN functionality, as exploitation of the file requires the SSL-VPN to be enabled.