Fortinet VPN appliances face active exploitation of multiple critical vulnerabilities by advanced threat actors using sophisticated evasion techniques. Despite patches, attackers maintain persistence through methods like symbolic link abuse, putting approximately 300,000 exposed devices at significant risk.
Breakdown
Recent reporting confirms a surge in exploitation activity targeting vulnerabilities in Fortinet’s FortiGate firewall and FortiClient VPN appliances, including an alleged zero-day exploit now being advertised on a dark web forum. These developments follow months of persistent interest by advanced threat actors in Fortinet products, with CVE-2024-55591, CVE-2024-21762, and CVE-2022-42475 now linked to active attacks that allow unauthorized remote access, privilege escalation, and configuration theft. Although no attribution has been confirmed for the latest campaign, prior activity by BrazenBamboo APT group was observed exploiting CVE-2024-47574, which demonstrates a continuing strategic focus on compromising VPN gateways for espionage and long-term persistence. Current evidence suggests attackers are leveraging post-patch evasion techniques to regain or maintain access on systems that have been updated, including legacy or misconfigured appliances where SSL-VPN is enabled. The exploitation appears indiscriminate in scope, impacting both the private sector and government users, and is being amplified by poor patch hygiene and high-value access pathways Fortinet devices represent across thousands of enterprise environments.
Parallel to these developments, a newly advertised zero-day exploit targeting FortiGate firewalls has allegedly surfaced on a dark web forum. Observed by ThreatMon in April 2025, the exploit allegedly enables unauthenticated remote code execution (RCE) and full configuration access to FortiOS—allowing attackers to retrieve encrypted credentials, firewall policies, 2FA settings, and administrative configurations without valid authentication. While Fortinet has not independently verified the zero-day’s functionality and existence, the exploit appears to leverage previously documented authentication bypass issues, particularly those tied to CVE-2022-40684 and CVE-2024-55591, which remain attractive to threat actors due to long patch cycles and persistent misconfigurations. This follows a series of incidents, including the Belsen Group’s public leak of 15,000 FortiGate configurations and earlier privilege escalation attacks targeting FortiProxy and FortiOS through crafted WebSocket and API requests. The re-emergence of unverified but plausible exploit paths across the Fortinet ecosystem underscores the attractiveness of these devices as strategic footholds for APT and cybercriminal operations alike.
In addition to these threat vectors, Fortinet has disclosed a novel post-exploitation technique involving symbolic link abuse to maintain access even after vulnerable systems were patched. Specifically, threat actors were found modifying the SSL-VPN language file directory by creating a symbolic link that connects user-controlled file paths with the system root directory—enabling read-only access to configuration files, session data, and certificates. This persistence technique survived firmware updates and even some factory resets, evading detection due to its placement in user-modifiable directories. Fortinet confirmed that systems with SSL-VPN functionality enabled were primarily affected and that this method had been deployed in active campaigns as far back as early 2023, according to incident responders from CERT-FR. CISA has also issued a formal advisory urging immediate patching and recommended disabling SSL-VPN functionality as a temporary mitigation due to the persistence mechanisms observed. Additionally, Fortinet issued multiple mitigations between February and April 2025, including antivirus/IPS signatures to flag malicious symlinks, SSL-VPN UI hardening, and guidance recommending full configuration audits and reset of credentials on potentially impacted systems.
These events highlight a maturing and persistent campaign ecosystem targeting Fortinet infrastructure, with multiple actors reusing known vulnerabilities, layering persistence techniques, and exploiting delayed patch adoption cycles. With over 300,000 FortiGate appliances estimated to be exposed globally, the scope of potential compromise is significant. BrazenBamboo’s demonstrated ability to pivot from endpoint exploitation (FortiClient) to perimeter devices (FortiGate) represents a full-spectrum intrusion capability with both espionage and disruption potential. Fortinet has responded with advisories, version-specific patches, and telemetry-based customer notifications, but many organizations remain at risk due to outdated firmware, unsecured administrative interfaces, or overlooked post-compromise artifacts. Continued exploitation of these attack surfaces signals a critical need for proactive patching, visibility into device integrity, and security controls tailored to counter sophisticated post-exploitation behaviors, including symbolic link abuse and memory-resident credential theft.
Vulnerabilities
|
CVE # |
Description |
|
CVE-2024-55591 Critical Severity |
An Authentication Bypass Using an
Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version
7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0
through 7.2.12 allows a remote attacker to gain super-admin privileges via
crafted requests to Node.js websocket module. |
|
CVE-2024-21762 Critical Severity |
An out-of-bounds write in Fortinet
FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through
7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17,
FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through
7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6,
1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands
via specifically crafted requests |
|
CVE-2023-27997 Critical Severity |
A heap-based buffer overflow
vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11
and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy
version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below,
version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote
attacker to execute arbitrary code or commands via specifically crafted
requests. |
|
CVE-2022-42475 Critical Severity |
A heap-based buffer overflow
vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through
7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and
FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote
unauthenticated attacker to execute arbitrary code or commands via
specifically crafted requests. |
|
CVE-2022-40684 Critical Severity |
An authentication bypass using an
alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through
7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0
through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an
unauthenticated atttacker to perform operations on the administrative
interface via specially crafted HTTP or HTTPS requests. |
|
CVE-2024-47574 High Severity |
An authentication bypass using an alternate path or
channel in Fortinet FortiClientWindows version 7.4.0, versions 7.2.4 through
7.2.0, versions 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0 allows low privilege
attacker to execute arbitrary code with high privilege via spoofed named pipe
messages. |
Recommendations
- Apply Latest Fortinet Firmware Updates: Ensure all FortiGate and FortiClient products are upgraded to the latest secure versions. For FortiOS, upgrade to 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16; for FortiClient, upgrade to version 7.4.1 or higher. This is critical to address CVE-2024-47574, CVE-2024-55591, and CVE-2025-24472.
- Disable and Audit SSL-VPN Functionality: Temporarily disable SSL-VPN services until systems are patched and perform a thorough audit of vpn/ssl directories to check for unauthorized symbolic links or tampered files that may enable post-compromise persistence.
- Restrict Administrative Interfaces by Access Control Lists (ACLs): Limit administrative access to FortiGate and FortiClient management interfaces (HTTP/HTTPS, SSH) by implementing explicit ACLs that only permit access from approved internal IPs or management subnets. Block all external access unless absolutely required and logged.
- Deploy Deep Packet Inspection for Berkeley Packet Filter (BPF) Evasion Techniques: Use next-generation firewalls or NDR tools with custom rules to detect abnormal packet patterns (e.g., reverse shell behavior over ICMP, UDP, or crafted TCP) that resemble stealthy post-exploitation frameworks like BPFDoor or DEEPDATA.
- Harden Local Named Pipe Permissions on Endpoints: Use Group Policy Objects or endpoint configuration baselines to monitor and restrict access to sensitive named pipes on Windows systems—especially those tied to FortiClient—to prevent abuse of spoofed named pipe messages for privilege escalation.
Hunter Insights
The exploitation activity demonstrates a high level of sophistication and strategic intent. Multiple vulnerabilities are being leveraged simultaneously, including critical authentication bypass issues (CVE-2024-55591, CVE-2022-40684) and heap-based buffer overflow vulnerabilities (CVE-2022-42475, CVE-2023-27997) that enable remote code execution.
The BrazenBamboo APT group's involvement, particularly with CVE-2024-47574, suggests nation-state level capabilities focused on long-term espionage operations. The techniques employed - particularly the symbolic link abuse for maintaining persistent access even after patching - indicate advanced post-exploitation tradecraft.
Based on the extensive Fortinet VPN exploitation data, we predict that within a few months, we'll see widespread targeting of the 300,000+ exposed FortiGate appliances, particularly those with delayed patch implementation. In the medium term (3-6 months), attackers will likely expand beyond direct device compromise to target Fortinet's supply chain and similar VPN products while developing enhanced forensic evasion techniques. Long-term implications include dormant persistent access mechanisms remaining undiscovered in high-value targets and evolution of these attack methodologies being applied across the broader network security ecosystem.
