Summary

The National Cyber Coordination and Command Centre (NC4) has observed an active and sophisticated post-exploitation campaigns targeting Fortinet FortiOS appliances in Malaysia. This threat involves the use of symbolic link abuse within the SSL-VPN component, allowing adversaries to maintain persistent, unauthorised access to devices even after the exploitation of known vulnerabilities has been remediated. This technique has been verified through threat intelligence provided by Fortinet and the Shadowserver Foundation.

This post-exploitation technique enables threat actors to:

• Retain persistent, unauthorised read-only access to internal configuration files on FortiOS devices
• Access sensitive data including VPN credentials, administrative configurations, and network topology
• Evade traditional detection methods, remaining hidden even after systems are patched
• Enable follow-on actions, including lateral movement, targeted data exfiltration, and further compromise of internal systems

NC4 assesses this activity as a critical threat to national cybersecurity, with the potential for significant data exposure, infrastructure compromise, and operational disruption. This activity represents an escalation in adversarial capabilities and necessitates both technical intervention and strategic planning at the national and organisational level.

Technical Details

Initial access is gained through previously disclosed FortiOS vulnerabilities:

• CVE-2022-40684: Authentication bypass
• CVE-2023-27997: Heap-based buffer overflow in SSL-VPN
• CVE-2024-23113: Improper access control via VPN language file manipulation

Following exploitation, adversaries create symbolic links within directories. These links allow the FortiOS SSL-VPN service to expose internal filesystem contents to unauthenticated external requests.

This symbolic link-based persistence remains effective post-patch, as it resides within the file structure and is not automatically removed by updates. The attack is effective only if SSL-VPN is enabled.

FortiOS appliances running any of the following versions with SSL-VPN enabled and previously vulnerable to the above CVEs:

• 6.4.0 to 6.4.15
• 7.0.0 to 7.0.16
• 7.2.0 to 7.2.10
• 7.4.0 to 7.4.6
• 7.6.0

Remediated in:

• 6.4.16, 7.0.17, 7.2.11, 7.4.7, 7.6.2

Indicator of Compromise

System administrators are advised to check FortiOS devices for the following indicators:

• Presence of symbolic links connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN
• Unexpected web-based access to internal files via the SSL-VPN portal
• Configuration downloads or admin-level access from anomalous IPs or geolocations
• Historical presence of CVE-2022-40684, CVE-2023-27997, or CVE-2024-23113 in unpatched state

Mitre ATTACK And Techniques

The observed techniques align with the following MITRE ATT&CK framework elements:

Mitigations

A. Immediate Technical Remediation

1. Patch Affected Devices

   • Upgrade to the latest secure versions listed above.

   • Confirm firmware integrity and successful deployment post-upgrade.

2. Inspect for Persistence Mechanisms

   • Manually audit root file system and related folders for symbolic links.

   • Remove any unauthorized symbolic links or custom language files.

   • Reboot devices post-removal to clear memory-resident persistence.

3. Disable SSL-VPN (Where Feasible)

   • If operationally acceptable, disable the SSL-VPN service during investigation.

4. Rotate Credentials and Keys

   • Admin accounts, VPN user credentials, session tokens, and certificates must be rotated.

   • Consider regenerating shared keys and pre-shared IPsec credentials.

5. Rebuild Devices from Clean Firmware (If Compromised)

   • Avoid restoring backups made after compromise.

   • Deploy fresh firmware and reconfigure settings manually where feasible.

6. Enhance Logging and Monitoring

   • Enable verbose SSL-VPN logging.

   • Monitor for unauthorized downloads, file access, or unusual traffic patterns.

   • Establish alerting for file system anomalies and link creation attempts.

B. Strategic Organisational Measures

1. Conduct a Comprehensive Risk Assessment

   • Inventory all Fortinet appliances.

   • Flag systems exposed during vulnerability windows with active SSL-VPN.

2. Assume Configuration Leakage

   • Treat all sensitive information stored or processed on affected devices as potentially exposed and follow the recommended steps inside Technical Tip in the reference below to recover.

3. Isolate High-Risk Systems

   • Segment and monitor FortiGate appliances until integrity is confirmed.

4. Review Access and Trust Relationships

   • Evaluate any VPN peers, static tunnels, or integrations using shared secrets or keys.

5. Update Incident Response Playbooks

   • Ensure current response plans include steps for symbolic link abuse and file system compromise.

6. Engage with NC4

   • Report incidents or findings to NC4 via official channels to support national-level coordination and threat sharing.

Validate Security Controls

System owners and cyber security teams are encouraged to validate existing defensive controls by:

• Testing File Integrity Monitoring (FIM) for detection of symbolic link creation

• Reviewing VPN portal access logs and SSL-VPN web requests

• Confirming vulnerability scans identify outdated firmware

• Simulating attack steps using red team exercises or Atomic Red Team test cases

• Ensuring SIEM/EDR solutions have appropriate rules for link detection, abnormal file reads, and unexpected config downloads

Reporting

If you are a Malaysian NCII entities affected by this activity, please report any indicators or incidents to NC4 as per required under Act 854.

References

Fortinet PSIRT:   https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity

CISA Alert:   https://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities

ACSC Advisory:   https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/Exploitation-of-Existing-Fortinet-Vulnerabilities

CERT NZ:   https://www.cert.govt.nz/advisories/malicious-activity-due-to-previously-exploited-vulnerabilities-in-fortinet-fortios-products/

Shadowserver:   https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/

Technical Tip: Recommended steps to execute in case of a compromised host   https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-steps-to-execute-in-case-of-a/ta-p/230694

Acknowledgments

NC4 acknowledges the collaborative contributions from the following organisations in supporting this advisory:

• Fortinet PSIRT, for responsible disclosure and technical documentation

• CISA, Australian Cyber Security Centre (ACSC) and CERT NZ for the initial public alert and coordination of threat information.

• The Shadowserver Foundation, for infrastructure monitoring and exposure analysis.