Fortinet is facing fresh concerns just as it warns users about ongoing attacks on its FortiOS and FortiProxy systems. Over the weekend, a new claim surfaced on a dark web forum. A threat actor is allegedly selling a zero-day exploit that targets FortiGate firewalls.
The exploit reportedly allows remote, unauthenticated access. If true, it could give full control of affected devices to attackers. This includes access to FortiOS configuration files, admin credentials, firewall rules, two-factor authentication settings, and more.
Cybersecurity firm ThreatMon flagged the post on social media. This alleged zero-day appeared around the same time Fortinet issued a new advisory. It warned that attackers are still exploiting older but patched vulnerabilities—CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762—to maintain persistent access.
According to Fortinet, these attackers are targeting systems with SSL-VPN enabled. They create a symbolic link between the user and root filesystems inside a folder used for language files. This allows them to stay hidden and keep access, even after patches have been applied.
To combat this, Fortinet has rolled out new detection methods. These include antivirus and IPS signatures, updated software versions, and direct communication with affected users. The fixes remove the malicious link and restore system integrity.
Administrators are strongly urged to update their firewalls immediately. Fortinet and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommend upgrading to FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16.
Acting now helps prevent future breaches and secures networks from potential exploitation.
