Published: 15 Apr 2025
Prepared by: Adam Skupien, Vulnerability Security Analyst
This bulletin highlights recent activity involving post-exploitation activity detected on Fortinet appliances previously vulnerable to certain vulnerabilities FortiOS.
Patches for these vulnerabilities have been available for some time however, these activities are part of post-exploitation efforts that involve maintaining unauthorised access to compromised systems even after patches have been applied. Organisations using Fortinet products are urged to verify patching status, investigate for compromise, and implement mitigation steps as outlined below.
On 11 April 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) issued alerts in coordination with Fortinet’s public security advisory. These alerts warn of ongoing malicious post-exploitation activities on affected systems and urge affected organisation to take action.
On April 10, Fortinet released a blog post disclosing that threat actors are conducting post-exploitation activity on Fortinet appliances vulnerable to previously disclosed and patched vulnerabilities including but not limited to the following:
While these vulnerabilities may have been patched, systems that were previously exposed may still harbor indicators of compromise. According to Fortinet’s analysis, attackers who exploited these products to gain unauthorised access, may have created symbolic links in the file system that allowed persistent read-only access to configuration files. This activity can survive patching and enable persistent access.
They have since been working with affected clients to ensure that steps are being taken to remediate this issue.
The following versions of FortiOS may be affected:
It should be noted, that if SSL-VPN has never been enabled on the system, it is not impacted by the issue.
The activity does not appear to be targeted to any specific region or sector, and is likely opportunistic in nature.
Post-exploitation techniques observed in affected Fortinet products can lead to:
persistent unauthorised access,
exposure of sensitive configuration data,
potential for lateral movement and further compromise of internal networks.
Organisations using the affected Fortinet products should take the following actions immediately:
Upgrade Fortinet appliances to the following fixed versions or later:
FortiOS: 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 (This upgrade will remove the malicious symbolic link and prevent further exploitation)
If immediate upgrading is not possible, consider temporarily disabling SSL-VPN functionality, as it is required for exploitation of the malicious file.
Audit file systems of Fortinet appliances for suspicious symbolic links or unknown modifications.
Reset credentials and certificates that may have been exposed or accessed.
Monitor logs and network activity for signs of continued access or lateral movement.
Fortinet has released detection logic and antivirus/IPS signatures to identify and remove the symbolic links created by threat actors. These signatures have been included in recent FortiGuard updates.
Additionally, system administrators should look for:
Unexpected symbolic links referencing configuration or credential files
Unauthorised access attempts or unusual authentication logs
Unusual outbound connections from Fortinet appliances
If evidence of malicious activity is found, Fortinet recommends performing a clean install. This recommendation was also made to clients identified through Fortinet’s telemetry as having been affected.
Triskele Labs SOC customers using our Monitor (24×7 SIEM) services are being actively assessed and monitored for indicators of compromise linked to Fortinet post-exploitation activity.