Cybersecurity vendor Fortinet said threat actors have developed a new technique to maintain persistent access to vulnerable FortiGate devices, even after security patches have been applied.
Australia's Signals Directorate's cyber security centre (ACSC) has also issued an alert for the attacks.
The company disclosed that attackers exploited previously known vulnerabilities to create a symbolic link between user and root filesystems in folders used to serve SSL-VPN language files, allowing them to maintain read-only access to device configurations.
"During this investigation, a threat actor was observed using known vulnerabilities to gain access to Fortinet devices," the company's chief information security officer Carl Windsor said.
"This specific finding is the result of a threat actor taking advantage of a known vulnerability with a new technique to maintain read-only access to vulnerable FortiGate devices after the original access vector was locked down."
The company emphasised that only devices with SSL-VPN enabled were vulnerable to this attack method.
Based on their investigation, Fortinet determined the threat actor activity was not targeted to any specific region or industry.
In response, Fortinet has implemented multiple mitigation strategies, including releasing antivirus and intrusion prevention signatures to detect and remove the malicious symbolic link.
The company has also modified the SSL-VPN user interface in recent updates to prevent such links from being served.
"We have communicated directly with customers identified as impacted by this issue based on the available telemetry," Fortinet stated, recommending that affected customers upgrade to the latest FortiOS versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16), which will automatically remove the malicious symbolic link.
Fortinet advised all customers to treat their configurations as potentially compromised and follow the company's recommended recovery steps.
The company cited research showing threat actors exploit known vulnerabilities on average 4.76 days after public disclosure, highlighting the importance of regular security updates.
Fortinet has introduced additional security enhancements in recent releases, including compile-time hardening, virtual patching, firmware integrity validation, and auto-update features.
"It is critically important for all organisations to keep their devices up to date," Fortinet advised, urging customers to maintain strict patching regimens regardless of whether they've been identified as directly impacted by this specific issue.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
