FlagThis - #fortios

Over 16,000 Fortinet devices have been compromised due to a novel symlink backdoor, allowing attackers to maintain read-only access to sensitive files. This was reported by The Shadowserver Foundation. The attackers are exploiting known vulnerabilities in FortiGate devices, specifically targeting the SSL-VPN language file directory. By creating a symbolic link between the user filesystem and the root filesystem, attackers can bypass security measures and access critical files even after patches are applied.

Researchers observed that threat actors are leveraging a new method to exploit previously patched vulnerabilities in Fortinet's FortiOS, specifically targeting FortiGate VPN appliances. The original flaw, CVE-2023-27997, had a fix issued, but threat actors can still gain access by manipulating symbolic links during the device's boot process. This enables threat actors with prior access to maintain control over the device, even after firmware updates. The issue stems from how FortiOS handles file permissions and symlinks when restarting, allowing malicious files to persist and re-enable vulnerabilities that were supposedly fixed.

Fortinet has responded by releasing several updates and new security measures to block further attacks. These measures include launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to detect and remove the symbolic link automatically. Multiple updates have been issued across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Organizations are urged to upgrade to the latest secure versions to mitigate the risk.


References :

• www.cybersecuritydive.com: Fortinet warns of threat activity against older vulnerabilities
• thehackernews.com: The Hacker News article on Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
• community.fortinet.com: Technical Tip : Recommended steps to execute in case of a compromise
• BleepingComputer: Fortinet warns that threat actors use a post-exploitation technique
• BleepingComputer: Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
• Help Net Security: HelpNetSecurity: FortiOS, FortiGate vulnerabilities
• bsky.app: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
• www.helpnetsecurity.com: Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices
• www.bleepingcomputer.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
• securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
• bsky.app: Fortinet has urged customers to install a recent FortiGate firmware update that mitigates a new technique abused in the wild. The technique allows attackers to maintain read-only access to FortiGate devices they previously infected.
• www.scworld.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
• securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
• hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
• www.scworld.com: SCWorld brief on Fortinet FortiGate fixes circumvented by symlink exploit
• The Register - Security: Old Fortinet flaws under attack with new method its patch didn't prevent
• MSSP feed for Latest: Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit
• hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
• securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
• ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
• securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
• ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access – Source:hackread.com
• Blog: Threat actors have been observed leveraging a new method to exploit a previously patched vulnerability in Fortinet’s FortiOS operating system—specifically targeting FortiGate VPN appliances. Although Fortinet issued a fix for the original flaw (CVE-2023-27997), researchers found that threat actors can still gain access by manipulating symbolic links (symlinks) during the device’s boot process.
• BleepingComputer: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
• bsky.app: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
• www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
• The DefendOps Diaries: Fortinet Devices Under Siege: Understanding the Symlink Backdoor Threat
• www.cybersecuritydive.com: Over 14K Fortinet devices compromised via new attack method

Classification:

• HashTags: #Fortinet #Symlink #Backdoor
• Company: Fortinet
• Target: Fortinet FortiGate devices
• Product: FortiOS
• Feature: SSL VPN
• Malware: Symlink Backdoor
• Type: Hack
• Severity: Major

A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.

The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks.


References :

• The DefendOps Diaries: SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities
• BleepingComputer: New SuperBlack ransomware exploits Fortinet auth bypass flaws
• Industrial Cyber: Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities
• The Register - Security: New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
• www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
• Blog: Fortinet flaws targeted by new LockBit-like SuperBlack ransomware
• securityaffairs.com: SuperBlack Ransomware operators exploit Fortinet Firewall flaws in recent attacks
• www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
• www.csoonline.com: Researchers tracked the exploits back to late November/early December last year.
• techcrunch.com: Hackers are exploiting Fortinet firewall bugs to plant ransomware
• Security Risk Advisors: New SuperBlack ransomware exploits Fortinet vulnerabilities for network breaches
• Cyber Security News: CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited
• gbhackers.com: CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit
• securityonline.info: Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
• cyble.com: CISA Alerts Users of CVE-2025-24472
• securityaffairs.com: U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
• www.it-daily.net: SuperBlack ransomware exploits Fortinet vulnerability
• : Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns The US Cybersecurity and Infrastructure Security Agency added flaws in Fortinet and a popular GitHub Action to its Known Exploited Vulnerabilities catalog
• chemical-facility-security-news.blogspot.com: CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25

Classification:

• HashTags: #SuperBlack #Ransomware #Fortinet
• Company: Fortinet
• Target: Fortinet Users
• Attacker: Mora_001
• Product: Fortinet
• Feature: authentication bypass
• Malware: SuperBlack
• Type: Ransomware
• Severity: Major