Skip to content

Multiple FortiGate Models Affected by Backdoor

The Bottom Line: FortiGate devices with enabled SSL-VPN were compromised through three critical vulnerabilities. Attackers exploit these to install backdoors and gain read access to file systems. Up to 840 devices in Austria are affected. Fortinet has released patches and remediation measures.

On April 10, Fortinet published information about a global compromise of FortiGate devices. Attackers exploit three known vulnerabilities in the SSL-VPN function and place a backdoor to enable permanent read access to enterprise systems.

On Friday, April 10, Fortinet published information about a global compromise of FortiGate devices that enabled attackers to gain permanent read access. The attackers apparently exploited three known vulnerabilities in the SSL-VPN function and placed a backdoor in the file system to sustain the unauthorized access.

FortiGate is a VPN solution for remote access to enterprise systems. The legacy SSL-VPN function was threatened by the critical vulnerabilities CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. Each of these security flaws enabled remote, unauthenticated attackers to execute code on the device.

Attackers exploited these vulnerabilities to compromise the system and then placed a symbolic link in a folder for voice files. Since these files can be accessed without authentication, anyone with knowledge of the storage location gained read access to the file system, including the complete device configuration. The patches provided by Fortinet did not remove the symbolic link.

The ShadowServer Foundation identified several thousand vulnerable devices worldwide. Based on internal analysis, up to 840 devices in Austria are affected at peak. All FortiGate devices, physical or virtual, with enabled SSL-VPN function are potentially at risk if they were ever vulnerable to any of the mentioned vulnerabilities. According to CERT.nz, the attacks may have already occurred in 2023.

CERT.at was informed of this incident in early of the year by a third party and has closely monitored the situation in Austria since then. Since February, network operators have been actively informed.

Fortinet recommends forensically examining suspicious systems and initiating defined security processes. The company has published remediation measures: AV/IPS signatures to detect the malicious symlink on devices with active IPS, and FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16 that remove the symlink. Additionally, Fortinet has published guidelines for restoring compromised devices.


Source: www.cert.at

Share on: