CyberSecurity news

FlagThis - #fortinet

Krista Lyons@OpenVPN Blog //
References: Blog , OpenVPN Blog
Multiple security vulnerabilities are currently being exploited in Fortinet and SonicWall products, posing a significant risk to organizations using these devices. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the SonicWall SMA100 Appliance flaw (CVE-2021-20035) to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by May 7, 2025. This vulnerability, which impacts SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, allows remote authenticated attackers to inject arbitrary operating system commands.

Attackers have been actively exploiting the SonicWall SMA100 vulnerability (CVE-2021-20035) since January 2025. SonicWall has updated its security advisory to reflect the current active exploitation of the flaw which can lead to code execution, as opposed to a denial-of-service. While the vulnerability affects SMA100 devices running older firmware, customers are urged to upgrade to the latest firmware. In addition to the SonicWall vulnerability, threat actors are employing new techniques to exploit a 2023 FortiOS flaw (CVE-2023-27997). This involves manipulating symbolic links during the device’s boot process, allowing attackers with prior access to maintain control even after firmware updates.

Fortinet has released security updates for FortiOS and FortiGate. Organizations using Fortinet products should apply the latest patches. Similarly, SonicWall users are advised to upgrade to the fixed versions of firmware, specifically 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, or 9.0.0.11-31sv and higher. With both SonicWall and CISA confirming the CVE-2021-20035 exploit, details about the attacks remain scarce.

Recommended read:
References :
  • Blog: Threat actors using new technique to exploit 2023 FortiOS flaw
  • OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN

@hackread.com //
A significant cybersecurity incident has come to light involving Fortinet devices. Reports indicate that over 16,000 internet-exposed Fortinet devices have been compromised using a symlink backdoor. This backdoor grants attackers read-only access to sensitive files, even after security patches are applied. The Shadowserver Foundation, a threat monitoring platform, has been tracking the situation and has reported the growing number of affected devices. This active exploitation underscores the critical need for organizations to implement security updates promptly and rigorously monitor their systems for any signs of suspicious activity.

Fortinet has acknowledged the attacks and has taken steps to address the issue. The company has released multiple updates across various FortiOS versions, including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the established backdoor but also modify the SSL-VPN interface to prevent similar occurrences in the future. Furthermore, Fortinet has launched an internal investigation and is collaborating with third-party experts to fully understand and mitigate the scope of the breach. An AV/IPS signature has also been developed to automatically detect and remove the malicious symlink.

Concerns about espionage have also arisen after the exposure of a KeyPlug server. This server exposed Fortinet exploits and webshell activity, specifically targeting a major Japanese company, Shiseido. A recently exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server was observed to be live for less than a day, highlighting the need for organizations to monitor for short-lived operational infrastructure. This discovery reveals the potential for advanced adversaries to maintain persistent access through sophisticated methods, making detection and remediation increasingly challenging.

Recommended read:
References :
  • Cyber Security News: 17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit
  • gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
  • systemweakness.com: Fortinet Warns of Persistent Access Exploit in FortiGate Devices
  • gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
  • dashboard.shadowserver.org: Over 16,000 Fortinet devices compromised symlink backdoor
  • thehackernews.com: Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
  • cyberpress.org: Exposed KeyPlug Malware Staging Server Contains Fortinet Firewall and VPN Exploitation Scripts
  • cybersecuritynews.com: Leaked KeyPlug Malware Infrastructure Contains Exploit Scripts to Hack Fortinet Firewall and VPN
  • hunt.io: KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
  • gbhackers.com: RedGolf Hackers Linked to Fortinet Zero-Day Exploits and Cyber Attack Tools
  • Talkback Resources: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
  • Cyber Security News: Analysis of the exposed infrastructure linking RedGolf to exploitation tools.
  • gbhackers.com: Security researchers have linked the notorious RedGolf hacking group to a wave of exploits targeting Fortinet firewall zero-days.
  • securityonline.info: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
  • OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN
  • cyberpress.org: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
  • cyble.com: IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit
  • Cyber Security News: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
  • securityonline.info: In a rare window into the operations of an advanced persistent threat, a KeyPlug-linked infrastructure briefly went live,
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • fortiguard.fortinet.com: FG-IR-24-435

@www.bleepingcomputer.com //
Over 16,000 Fortinet devices have been compromised due to a novel symlink backdoor, allowing attackers to maintain read-only access to sensitive files. This was reported by The Shadowserver Foundation. The attackers are exploiting known vulnerabilities in FortiGate devices, specifically targeting the SSL-VPN language file directory. By creating a symbolic link between the user filesystem and the root filesystem, attackers can bypass security measures and access critical files even after patches are applied.

Researchers observed that threat actors are leveraging a new method to exploit previously patched vulnerabilities in Fortinet's FortiOS, specifically targeting FortiGate VPN appliances. The original flaw, CVE-2023-27997, had a fix issued, but threat actors can still gain access by manipulating symbolic links during the device's boot process. This enables threat actors with prior access to maintain control over the device, even after firmware updates. The issue stems from how FortiOS handles file permissions and symlinks when restarting, allowing malicious files to persist and re-enable vulnerabilities that were supposedly fixed.

Fortinet has responded by releasing several updates and new security measures to block further attacks. These measures include launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to detect and remove the symbolic link automatically. Multiple updates have been issued across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Organizations are urged to upgrade to the latest secure versions to mitigate the risk.

Recommended read:
References :
  • www.cybersecuritydive.com: Fortinet warns of threat activity against older vulnerabilities
  • thehackernews.com: The Hacker News article on Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • community.fortinet.com: Technical Tip : Recommended steps to execute in case of a compromise
  • BleepingComputer: Fortinet warns that threat actors use a post-exploitation technique
  • BleepingComputer: Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
  • Help Net Security: HelpNetSecurity: FortiOS, FortiGate vulnerabilities
  • bsky.app: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • www.helpnetsecurity.com: Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices
  • www.bleepingcomputer.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
  • bsky.app: Fortinet has urged customers to install a recent FortiGate firmware update that mitigates a new technique abused in the wild. The technique allows attackers to maintain read-only access to FortiGate devices they previously infected.
  • www.scworld.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • www.scworld.com: SCWorld brief on Fortinet FortiGate fixes circumvented by symlink exploit
  • The Register - Security: Old Fortinet flaws under attack with new method its patch didn't prevent
  • MSSP feed for Latest: Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
  • ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
  • ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access – Source:hackread.com
  • Blog: Threat actors have been observed leveraging a new method to exploit a previously patched vulnerability in Fortinet’s FortiOS operating system—specifically targeting FortiGate VPN appliances. Although Fortinet issued a fix for the original flaw (CVE-2023-27997), researchers found that threat actors can still gain access by manipulating symbolic links (symlinks) during the device’s boot process.
  • BleepingComputer: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
  • bsky.app: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
  • www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
  • The DefendOps Diaries: Fortinet Devices Under Siege: Understanding the Symlink Backdoor Threat
  • www.cybersecuritydive.com: Over 14K Fortinet devices compromised via new attack method

Pierluigi Paganini@Security Affairs //
Fortinet has issued a critical security advisory addressing a high-severity vulnerability, CVE-2024-48887, affecting its FortiSwitch product line. The flaw, which scores a 9.3 on the CVSS scale, resides within the FortiSwitch GUI and presents an unverified password change vulnerability. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request, allowing them to modify administrator passwords without proper authorization. This could lead to complete system compromise and unauthorized access to sensitive network resources.

Fortinet has identified several affected FortiSwitch versions and strongly urges users to upgrade to the fixed versions immediately. The affected versions include FortiSwitch 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.10, and 6.4.0 through 6.4.14. Corresponding upgrade paths are available for each version, with specific target versions provided to remediate the vulnerability. The company credited Daniel Rozeboom of the FortiSwitch web UI development team for discovering and reporting the security flaw.

As immediate mitigation steps, Fortinet recommends disabling HTTP/HTTPS access from administrative interfaces and configuring trusted hosts to restrict network access to only authorized systems. These workarounds can help minimize the attack surface while users schedule and implement the necessary upgrades. While there is currently no evidence of active exploitation, given the severity and ease of exploitation, Fortinet emphasizes the importance of applying the patches as quickly as possible to prevent potential attacks.

Recommended read:
References :
  • fortiguard.fortinet.com: Fortinet PSIRT Advisory on FortiSwitch Unverified Password Change
  • securityonline.info: SecurityOnline Article on Fortinet's Critical Unverified Password Change Flaw in FortiSwitch
  • The Hacker News: The Hacker News Article on Fortinet Urges FortiSwitch Upgrades
  • gbhackers.com: Fortinet Warns of Multiple Vulnerabilities in FortiAnalyzer, FortiManager, & Other Products
  • securityonline.info: Fortinet: Critical Unverified Password Change Flaw in FortiSwitch
  • Cyber Security News: CyberSecurityNews on fortiswitch vulnerability.
  • Talkback Resources: Talkback description of Fortinet Critical Admin Password Change Flaw
  • Talkback Resources: Fortinet has issued security updates for a critical vulnerability in FortiSwitch allowing unauthorized password changes, with a CVSS score of 9.3, urging users to upgrade to specified versions or implement workarounds.
  • gbhackers.com: GbHackers article Fortinet Warns of Multiple Vulnerabilities in FortiAnalyzer, FortiManager, & Other Products
  • BleepingComputer: BleepingComputer article on FortiSwitch flaw.
  • securityaffairs.com: SecurityAffairs article on Critical Fortinet FortiSwitch flaw allows remote attackers to change admin passwords
  • The DefendOps Diaries: The Defend Ops Diaries Article Understanding the Critical FortiSwitch Vulnerability: CVE-2024-48887
  • Security Risk Advisors: Critical Unverified Admin Password Change in FortiSwitch Allows Remote Access Takeover
  • bsky.app: Fortinet has released security patches for a critical vulnerability in its FortiSwitch devices that can be exploited to change administrator passwords remotely.
  • Rescana: Urgent: Fortinet Products Affected by Severe Security Flaws
  • Vulnerable U: Critical Fortinet Flaw Allows Remote, Unauthenticated Admin Password Change
  • www.helpnetsecurity.com: Help Net Security on fortiswitch Vulnerability
  • research.kudelskisecurity.com: Fortinet FortiSwitch – Unverified Password Change Vulnerability (CVE-2024-48887)
  • research.kudelskisecurity.com: Fortinet FortiSwitch – Unverified Password Change Vulnerability (CVE-2024-48887)
  • Help Net Security: FortiSwitch vulnerability may give attackers control over vulnerable devices (CVE-2024-48887)
  • socradar.io: Critical Fortinet Vulnerability (CVE-2024-48887) Puts FortiSwitch Admin Credentials at Risk
  • aboutdfir.com: Critical Fortinet Vulnerability (CVE-2024-48887) Puts FortiSwitch Admin Credentials at Risk
  • aboutdfir.com: Critical Fortinet Vulnerability (CVE-2024-48887) Puts FortiSwitch Admin Credentials at Risk A newly disclosed critical vulnerability in Fortinet’s FortiSwitch product line is raising urgent security concerns.

Bill Toulas@BleepingComputer //
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.

The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks.

Recommended read:
References :
  • The DefendOps Diaries: SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities
  • BleepingComputer: New SuperBlack ransomware exploits Fortinet auth bypass flaws
  • Industrial Cyber: Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities
  • The Register - Security: New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
  • www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
  • Blog: Fortinet flaws targeted by new LockBit-like SuperBlack ransomware
  • securityaffairs.com: SuperBlack Ransomware operators exploit Fortinet Firewall flaws in recent attacks
  • www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
  • : Researchers tracked the exploits back to late November/early December last year.
  • techcrunch.com: Hackers are exploiting Fortinet firewall bugs to plant ransomware
  • Security Risk Advisors: New SuperBlack ransomware exploits Fortinet vulnerabilities for network breaches
  • Cyber Security News: CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited
  • gbhackers.com: CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit
  • securityonline.info: Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
  • cyble.com: CISA Alerts Users of CVE-2025-24472
  • securityaffairs.com: U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
  • www.it-daily.net: SuperBlack ransomware exploits Fortinet vulnerability
  • : Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns The US Cybersecurity and Infrastructure Security Agency added flaws in Fortinet and a popular GitHub Action to its Known Exploited Vulnerabilities catalog
  • chemical-facility-security-news.blogspot.com: CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25

@PCWorld //
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.

The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder.

Recommended read:
References :
  • CyberInsider: New Snake Keylogger Variant Launches 280 Million Attacks
  • hackread.com: New Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots
  • cyberinsider.com: New Snake Keylogger Variant Launches 280 Million Attacks
  • The Register - Software: Snake Keylogger slithers into Windows, evades detection with AutoIt-compiled payload
  • Talkback Resources: Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots [net] [mal]
  • The Hacker News: New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection
  • PCWorld: This high-risk keylogger malware is a growing threat to Windows users
  • Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]
  • www.scworld.com: More advanced Snake Keylogger variant emerges
  • Talkback Resources: New Snake Keylogger infects Windows using AutoIt freeware [mal]

@securityonline.info //
Fortinet's FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan. This sophisticated malware, targeting Microsoft Windows users, has expanded its reach to include 1,030 websites and 73 financial institutions. The malware is distributed through malicious LNK files that execute PowerShell commands, initiating a multi-stage attack. The primary goal is to harvest sensitive data, including system details and lists of installed antivirus products.

The attack sequence begins with a LNK file executing a PowerShell command to retrieve a next-stage PowerShell script, launching the trojan. Once deployed, the trojan gathers system information and evades detection by security measures. Should a victim attempt to access a targeted site, the malware communicates with a command-and-control server, enabling actions like capturing screenshots or displaying phishing overlays to steal sensitive credentials, impacting financial cybersecurity.

Recommended read:
References :
  • gbhackers.com: FortiGuard Labs has issued a high-severity alert regarding the Coyote Banking Trojan, a sophisticated malware targeting Microsoft Windows users.
  • www.scworld.com: Updated Coyote malware facilitates more extensive compromise
  • gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
  • The Hacker News: Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions
  • securityonline.info: SecurityOnline article about the multi-stage Coyote banking trojan targeting Brazil.
  • securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil

@securityonline.info //
The Coyote Banking Trojan is actively targeting financial institutions and online banking users in Brazil, stealing data from over 70 financial applications and websites. Cybersecurity researchers at FortiGuard Labs have uncovered this stealthy and highly sophisticated banking trojan which leverages malicious LNK files and PowerShell scripts to infiltrate Windows systems, deploy payloads, and steal sensitive banking credentials. The attack begins with a weaponized LNK file that executes a hidden PowerShell command, connecting to a remote server and downloading additional malicious scripts, initiating the next stage of the attack.

The Trojan can keylog user activity, capture screenshots, display phishing overlays, and even manipulate browser windows to steal financial data. It collects system information such as the machine ID, MAC address, Windows version, and installed security software, sending these details to remote command-and-control servers. The final payload includes the main Coyote Banking Trojan, which expands its target list to over 1,000 websites and 73 financial agents. Accessing any of the targeted sites could trigger further malicious activity, enhancing the threat to financial cybersecurity.

Recommended read:
References :
  • gbhackers.com: Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files
  • securityaffairs.com: Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil
  • securityonline.info: Coyote Banking Trojan: A Multi-Stage Financial Cyber Threat Targeting Brazil