04-16-2025, 10:42 AM
News Australian Businesses at Risk as Threat Actors Exploit Fortinet Vulnerabilities
<p><img width="1280" height="854" src="https://thecyberexpress.com/wp-content/uploads/Fortinet-Vulnerabilities.webp" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="Fortinet Vulnerabilities" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/Fortinet-Vulnerabilities.webp 1280w, https://thecyberexpress.com/wp-content/u...0x200.webp 300w, https://thecyberexpress.com/wp-content/u...4x683.webp 1024w, https://thecyberexpress.com/wp-content/u...8x512.webp 768w, https://thecyberexpress.com/wp-content/u...0x400.webp 600w, https://thecyberexpress.com/wp-content/u...0x100.webp 150w, https://thecyberexpress.com/wp-content/u...0x500.webp 750w, https://thecyberexpress.com/wp-content/u...0x761.webp 1140w" sizes="(max-width: 1280px) 100vw, 1280px" title="Australian Businesses at Risk as Threat Actors Exploit Fortinet Vulnerabilities 15"></p>Australian organizations using Fortinet products are being urged to take immediate action following a new advisory highlighting the active exploitation of previously known vulnerabilities. The Australian Signals Directorate’s <a href="https://thecyberexpress.com/ivanti-vulnerability-cve-2025-22457-exploited/" target="_blank" rel="noopener">Australian Cyber Security Centre</a> (thanks’s ACSC) has issued this alert primarily for technical users within organizations across the private and public sectors.
Fortinet has observed malicious actors exploiting older, unpatched <a href="https://thecyberexpress.com/digital-threat-report-2024/" target="_blank" rel="noopener">vulnerabilities</a> to gain and maintain unauthorized access to Fortinet devices. While patches were released previously, many compromised devices were either not updated in time or were attacked before <a class="wpil_keyword_link" href="https://thecyberexpress.com/" title="security" data-wpil-keyword-link="linked" data-wpil-monitor-id="21789">security</a> fixes were applied.
<h3><strong>What Happened?</strong></h3>
<a href="https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/Exploitation-of-Existing-Fortinet-Vulnerabilities" target="_blank" rel="nofollow noopener">Fortinet’s latest findings</a> reveal a threat actor is actively targeting three known vulnerabilities:
<ul>
<li><strong>FG-IR-24-015:</strong> Out-of-bounds write <a class="wpil_keyword_link" href="https://thecyberexpress.com/firewall-daily/vulnerabilities/" title="vulnerability" data-wpil-keyword-link="linked" data-wpil-monitor-id="21785">vulnerability</a> in sslvpnd.</li>
<li><strong>FG-IR-23-097:</strong> Heap buffer overflow during SSL <a class="wpil_keyword_link" href="https://thecyberexpress.com/how-to-get-a-vpn/" title="VPN" data-wpil-keyword-link="linked" data-wpil-monitor-id="21788">VPN</a> pre-authentication.</li>
<li><strong>FG-IR-22-398:</strong> Heap-based buffer overflow in sslvpnd.</li>
</ul>
These issues affect the SSL VPN component in Fortinet’s FortiGate devices, which are commonly used by businesses for secure <a class="wpil_keyword_link" href="https://cyble.com/remote-access-trojan/" target="_blank" rel="noopener" title="remote access" data-wpil-keyword-link="linked" data-wpil-monitor-id="21787">remote access</a>.
Although <a href="https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity" target="_blank" rel="nofollow noopener">Fortinet</a> previously released patches addressing these vulnerabilities, a new technique has been revealed where attackers can retain read-only access to devices even after the original security holes have been patched. This access is achieved by inserting a symbolic link that connects the user and root filesystems through a folder used for serving language files in the SSL VPN.
The symbolic link avoids detection and allows the attacker to read potentially sensitive information such as device configurations.
Importantly, devices without SSL VPN enabled are not affected.
<h3><strong>Who Is Affected?</strong></h3>
<ul>
<li>Organizations that have not updated their <a href="https://thecyberexpress.com/vulnerable-fortinet-sonicwall-devices-exposed/" target="_blank" rel="noopener">Fortinet devices</a> to the latest versions.</li>
<li>Devices that were compromised before patching may still be at <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-are-risks-in-cybersecurity/" title="risk" data-wpil-keyword-link="linked" data-wpil-monitor-id="21781">risk</a> due to remnants of the attacker’s access method.</li>
<li>This threat is not region or industry-specific, and all sectors are encouraged to assess their environments.</li>
</ul>
<h3><strong>How Was It Discovered?</strong></h3>
Fortinet’s investigation—supported by internal monitoring and collaboration with third-party organizations—uncovered this post-exploitation technique. The discovery triggered the company’s Product Security <a class="wpil_keyword_link" href="https://cyble.com/knowledge-hub/what-is-incident-response/" target="_blank" rel="noopener" title="Incident Response" data-wpil-keyword-link="linked" data-wpil-monitor-id="21784">Incident Response</a> Team (PSIRT) to develop countermeasures and notify impacted customers.
This new approach by the attacker is a reminder that known <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-are-vulnerabilities/" title="vulnerabilities" data-wpil-keyword-link="linked" data-wpil-monitor-id="21783">vulnerabilities</a>, especially when unpatched, remain an attractive target. Fortinet emphasized that state-sponsored and financially motivated threat actors continue to scan and <a class="wpil_keyword_link" href="https://cyble.com/exploit/" target="_blank" rel="noopener" title="exploit" data-wpil-keyword-link="linked" data-wpil-monitor-id="21786">exploit</a> such vulnerabilities within days of their public disclosure.
<h3><strong>What Should You Do Now?</strong></h3>
The thanks’s ACSC strongly recommends the following:
<ol>
<li>Upgrade all Fortinet devices immediately to one of the following secure versions:
<ul>
<li>FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16</li>
</ul>
</li>
<li>Review all configurations on affected devices for signs of modification or compromise.</li>
<li>Investigate your environment for any suspicious behaviour or anomalies in device logs.</li>
</ol>
<h3><strong>What Has Fortinet Done?</strong></h3>
To help customers secure their environments and prevent further abuse of these vulnerabilities, Fortinet has taken multiple steps:
<ul>
<li>Released updated AV/IPS signatures to detect and remove the symbolic link.</li>
<li>Enhanced FortiOS versions to:
<ul>
<li>Detect and remove the symbolic link during updates.</li>
<li>Prevent SSL VPNs from serving malicious files.</li>
</ul>
</li>
<li>Provided direct communication and assistance to known impacted customers based on internal telemetry.</li>
</ul>
These <a href="https://thecyberexpress.com/major-it-vulnerabilities/" target="_blank" rel="noopener">mitigations</a> are automatically applied if customers have the AV/IPS engine enabled and licensed.
<h3><strong>Enhanced Security in New Releases</strong></h3>
Customers upgrading to the latest FortiOS versions will benefit from improved <a href="https://thecyberexpress.com/android-16-blocks-scammers/" target="_blank" rel="noopener">security features</a>, such as:
<ul>
<li>Virtual patching for interim protection before applying formal patches.</li>
<li>Firmware integrity validation at the BIOS level.</li>
<li>Filesystem integrity monitoring through Integrity Measurement Architecture (IMA).</li>
<li>Automatic updates, allowing devices to receive critical patches without manual intervention.</li>
<li>Features like Uninterrupted Cluster Upgrade, Auto-restore configurations, and Scheduled patch upgrades for a smoother upgrade process.</li>
</ul>
These enhancements are part of Fortinet’s broader commitment to <a href="https://thecyberexpress.com/8-cybersecurity-best-practices-in-2024/" target="_blank" rel="noopener">cybersecurity best practices</a> and responsible transparency.
<h3><strong>Why This Matters</strong></h3>
Fortinet’s alert emphasizes a vital principle in <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-cybersecurity/" title="cybersecurity" data-wpil-keyword-link="linked" data-wpil-monitor-id="21780">cybersecurity</a>: patching alone is not enough if devices are compromised before the fix is applied. Attackers are becoming more advanced, using stealthy techniques like symbolic links to maintain access under the radar.
The incident also highlights the shared responsibility in <a class="wpil_keyword_link" href="https://cyble.com/knowledge-hub/what-is-cybersecurity/" target="_blank" rel="noopener" title="cybersecurity" data-wpil-keyword-link="linked" data-wpil-monitor-id="21790">cybersecurity</a>:
<ul>
<li>Vendors must deliver secure products, disclose vulnerabilities responsibly, and support customers with quick fixes.</li>
<li>Customers must apply patches promptly and maintain strong <a class="wpil_keyword_link" href="https://thecyberexpress.com/cyber-news/" title="cyber" data-wpil-keyword-link="linked" data-wpil-monitor-id="21782">cyber</a> hygiene to defend against known and emerging threats.</li>
</ul>
With more than 40,000 vulnerabilities reported in 2024 alone (as per NIST <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-data/" title="data" data-wpil-keyword-link="linked" data-wpil-monitor-id="21779">data</a>), managing security updates has become an essential routine for all IT environments.
https://thecyberexpress.com/fortinet-urg...patch-now/
<p><img width="1280" height="854" src="https://thecyberexpress.com/wp-content/uploads/Fortinet-Vulnerabilities.webp" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="Fortinet Vulnerabilities" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/Fortinet-Vulnerabilities.webp 1280w, https://thecyberexpress.com/wp-content/u...0x200.webp 300w, https://thecyberexpress.com/wp-content/u...4x683.webp 1024w, https://thecyberexpress.com/wp-content/u...8x512.webp 768w, https://thecyberexpress.com/wp-content/u...0x400.webp 600w, https://thecyberexpress.com/wp-content/u...0x100.webp 150w, https://thecyberexpress.com/wp-content/u...0x500.webp 750w, https://thecyberexpress.com/wp-content/u...0x761.webp 1140w" sizes="(max-width: 1280px) 100vw, 1280px" title="Australian Businesses at Risk as Threat Actors Exploit Fortinet Vulnerabilities 15"></p>Australian organizations using Fortinet products are being urged to take immediate action following a new advisory highlighting the active exploitation of previously known vulnerabilities. The Australian Signals Directorate’s <a href="https://thecyberexpress.com/ivanti-vulnerability-cve-2025-22457-exploited/" target="_blank" rel="noopener">Australian Cyber Security Centre</a> (thanks’s ACSC) has issued this alert primarily for technical users within organizations across the private and public sectors.
Fortinet has observed malicious actors exploiting older, unpatched <a href="https://thecyberexpress.com/digital-threat-report-2024/" target="_blank" rel="noopener">vulnerabilities</a> to gain and maintain unauthorized access to Fortinet devices. While patches were released previously, many compromised devices were either not updated in time or were attacked before <a class="wpil_keyword_link" href="https://thecyberexpress.com/" title="security" data-wpil-keyword-link="linked" data-wpil-monitor-id="21789">security</a> fixes were applied.
<h3><strong>What Happened?</strong></h3>
<a href="https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/Exploitation-of-Existing-Fortinet-Vulnerabilities" target="_blank" rel="nofollow noopener">Fortinet’s latest findings</a> reveal a threat actor is actively targeting three known vulnerabilities:
<ul>
<li><strong>FG-IR-24-015:</strong> Out-of-bounds write <a class="wpil_keyword_link" href="https://thecyberexpress.com/firewall-daily/vulnerabilities/" title="vulnerability" data-wpil-keyword-link="linked" data-wpil-monitor-id="21785">vulnerability</a> in sslvpnd.</li>
<li><strong>FG-IR-23-097:</strong> Heap buffer overflow during SSL <a class="wpil_keyword_link" href="https://thecyberexpress.com/how-to-get-a-vpn/" title="VPN" data-wpil-keyword-link="linked" data-wpil-monitor-id="21788">VPN</a> pre-authentication.</li>
<li><strong>FG-IR-22-398:</strong> Heap-based buffer overflow in sslvpnd.</li>
</ul>
These issues affect the SSL VPN component in Fortinet’s FortiGate devices, which are commonly used by businesses for secure <a class="wpil_keyword_link" href="https://cyble.com/remote-access-trojan/" target="_blank" rel="noopener" title="remote access" data-wpil-keyword-link="linked" data-wpil-monitor-id="21787">remote access</a>.
Although <a href="https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity" target="_blank" rel="nofollow noopener">Fortinet</a> previously released patches addressing these vulnerabilities, a new technique has been revealed where attackers can retain read-only access to devices even after the original security holes have been patched. This access is achieved by inserting a symbolic link that connects the user and root filesystems through a folder used for serving language files in the SSL VPN.
The symbolic link avoids detection and allows the attacker to read potentially sensitive information such as device configurations.
Importantly, devices without SSL VPN enabled are not affected.
<h3><strong>Who Is Affected?</strong></h3>
<ul>
<li>Organizations that have not updated their <a href="https://thecyberexpress.com/vulnerable-fortinet-sonicwall-devices-exposed/" target="_blank" rel="noopener">Fortinet devices</a> to the latest versions.</li>
<li>Devices that were compromised before patching may still be at <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-are-risks-in-cybersecurity/" title="risk" data-wpil-keyword-link="linked" data-wpil-monitor-id="21781">risk</a> due to remnants of the attacker’s access method.</li>
<li>This threat is not region or industry-specific, and all sectors are encouraged to assess their environments.</li>
</ul>
<h3><strong>How Was It Discovered?</strong></h3>
Fortinet’s investigation—supported by internal monitoring and collaboration with third-party organizations—uncovered this post-exploitation technique. The discovery triggered the company’s Product Security <a class="wpil_keyword_link" href="https://cyble.com/knowledge-hub/what-is-incident-response/" target="_blank" rel="noopener" title="Incident Response" data-wpil-keyword-link="linked" data-wpil-monitor-id="21784">Incident Response</a> Team (PSIRT) to develop countermeasures and notify impacted customers.
This new approach by the attacker is a reminder that known <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-are-vulnerabilities/" title="vulnerabilities" data-wpil-keyword-link="linked" data-wpil-monitor-id="21783">vulnerabilities</a>, especially when unpatched, remain an attractive target. Fortinet emphasized that state-sponsored and financially motivated threat actors continue to scan and <a class="wpil_keyword_link" href="https://cyble.com/exploit/" target="_blank" rel="noopener" title="exploit" data-wpil-keyword-link="linked" data-wpil-monitor-id="21786">exploit</a> such vulnerabilities within days of their public disclosure.
<h3><strong>What Should You Do Now?</strong></h3>
The thanks’s ACSC strongly recommends the following:
<ol>
<li>Upgrade all Fortinet devices immediately to one of the following secure versions:
<ul>
<li>FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16</li>
</ul>
</li>
<li>Review all configurations on affected devices for signs of modification or compromise.</li>
<li>Investigate your environment for any suspicious behaviour or anomalies in device logs.</li>
</ol>
<h3><strong>What Has Fortinet Done?</strong></h3>
To help customers secure their environments and prevent further abuse of these vulnerabilities, Fortinet has taken multiple steps:
<ul>
<li>Released updated AV/IPS signatures to detect and remove the symbolic link.</li>
<li>Enhanced FortiOS versions to:
<ul>
<li>Detect and remove the symbolic link during updates.</li>
<li>Prevent SSL VPNs from serving malicious files.</li>
</ul>
</li>
<li>Provided direct communication and assistance to known impacted customers based on internal telemetry.</li>
</ul>
These <a href="https://thecyberexpress.com/major-it-vulnerabilities/" target="_blank" rel="noopener">mitigations</a> are automatically applied if customers have the AV/IPS engine enabled and licensed.
<h3><strong>Enhanced Security in New Releases</strong></h3>
Customers upgrading to the latest FortiOS versions will benefit from improved <a href="https://thecyberexpress.com/android-16-blocks-scammers/" target="_blank" rel="noopener">security features</a>, such as:
<ul>
<li>Virtual patching for interim protection before applying formal patches.</li>
<li>Firmware integrity validation at the BIOS level.</li>
<li>Filesystem integrity monitoring through Integrity Measurement Architecture (IMA).</li>
<li>Automatic updates, allowing devices to receive critical patches without manual intervention.</li>
<li>Features like Uninterrupted Cluster Upgrade, Auto-restore configurations, and Scheduled patch upgrades for a smoother upgrade process.</li>
</ul>
These enhancements are part of Fortinet’s broader commitment to <a href="https://thecyberexpress.com/8-cybersecurity-best-practices-in-2024/" target="_blank" rel="noopener">cybersecurity best practices</a> and responsible transparency.
<h3><strong>Why This Matters</strong></h3>
Fortinet’s alert emphasizes a vital principle in <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-cybersecurity/" title="cybersecurity" data-wpil-keyword-link="linked" data-wpil-monitor-id="21780">cybersecurity</a>: patching alone is not enough if devices are compromised before the fix is applied. Attackers are becoming more advanced, using stealthy techniques like symbolic links to maintain access under the radar.
The incident also highlights the shared responsibility in <a class="wpil_keyword_link" href="https://cyble.com/knowledge-hub/what-is-cybersecurity/" target="_blank" rel="noopener" title="cybersecurity" data-wpil-keyword-link="linked" data-wpil-monitor-id="21790">cybersecurity</a>:
<ul>
<li>Vendors must deliver secure products, disclose vulnerabilities responsibly, and support customers with quick fixes.</li>
<li>Customers must apply patches promptly and maintain strong <a class="wpil_keyword_link" href="https://thecyberexpress.com/cyber-news/" title="cyber" data-wpil-keyword-link="linked" data-wpil-monitor-id="21782">cyber</a> hygiene to defend against known and emerging threats.</li>
</ul>
With more than 40,000 vulnerabilities reported in 2024 alone (as per NIST <a class="wpil_keyword_link" href="https://thecyberexpress.com/what-is-data/" title="data" data-wpil-keyword-link="linked" data-wpil-monitor-id="21779">data</a>), managing security updates has become an essential routine for all IT environments.
https://thecyberexpress.com/fortinet-urg...patch-now/