Do Son 
Researchers have uncovered yet another large-scale cyberattack targeting FortiGate corporate VPN appliances—devices widely used by organizations to enable secure remote access to internal networks. The attackers employed an ingenious technique that allows them to clandestinely monitor data from compromised devices even after administrators have detected the breach and installed all recommended security updates.
The severity of the situation is underscored by an emergency advisory issued this week by Fortinet. The company dispatched confidential notifications to clients marked with the TLP:AMBER+STRICT classification, indicating that the information is strictly for a limited circle of cybersecurity professionals. Insights from FortiGuard monitoring tools revealed numerous confirmed compromises of customer devices.
In communications titled “Device Compromise Notification – FortiGate / FortiOS – Urgent Action Required”, Fortinet clarified that the threat does not stem from newly discovered vulnerabilities, but from lingering artifacts of past intrusions. Attackers had previously exploited known security flaws (CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762) to breach systems. It has now emerged that after gaining access, they implanted covert persistence mechanisms that survived even after patches were applied.
One of the core methods involved creating symbolic links within the folder used to store language packs for the VPN interface. These links surreptitiously pointed to the root filesystem of FortiGate devices running SSL-VPN services and resided in user-accessible directories typically overlooked by conventional security scans. This allowed attackers to access configuration files and other sensitive assets undetected.
The scope of the issue is significant. France’s national computer emergency response center, CERT-FR—part of the ANSSI—has reported a widespread campaign targeting domestic networks, dating back to early 2023. A substantial number of FortiGate deployments across the country have reportedly been affected.
In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged network defenders to report any related incidents or suspicious activity. Their 24/7 operations center accepts submissions via email at Report@cisa.gov or by phone.
To mitigate ongoing threats, Fortinet strongly advises all administrators to update firewall firmware to the latest FortiOS versions: 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16. These updates are designed to purge residual malicious files used by threat actors to maintain access. Administrators are also urged to audit device configurations for unauthorized changes. Fortinet has issued a detailed guide on resetting potentially compromised credentials.
Additional recommendations include isolating infected VPN appliances from the corporate network and performing a comprehensive reset of all sensitive assets—user accounts, certificates, authentication tokens, and cryptographic keys. Special attention should be paid to detecting signs of lateral movement, as attackers may have attempted to propagate deeper into the organization’s internal environment.
