Security Intelligence
Loading table of contents...
Loading table of contents...
Threat actors have been observed leveraging a new method to exploit a previously patched vulnerability in Fortinet’s FortiOS operating system—specifically targeting FortiGate VPN appliances. Although Fortinet issued a fix for the original flaw (CVE-2023-27997), researchers found that threat actors can still gain access by manipulating symbolic links (symlinks) during the device’s boot process.
This technique enables threat actors with prior access to maintain control over the device, even after firmware updates. The issue stems from how FortiOS handles file permissions and symlinks when restarting, allowing malicious files to persist and re-enable vulnerabilities that were supposedly fixed.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Security researchers have demonstrated how attackers can plant symlinks in writable directories, tricking the system into restoring unauthorized files after a reboot. This effectively allows threat actors to “resurrect” previously patched vulnerabilities—making it easier to maintain persistence and undermine remediation efforts.
While this technique doesn’t provide initial access on its own, it highlights a significant weakness in the post-exploitation phase. Organizations that believe they’ve fully patched compromised devices may unknowingly leave a backdoor open.
Fortinet recommends performing a complete firmware reinstallation from trusted images and verifying file system integrity to ensure systems are fully clean.
Source: Bleeping Computer
Analysis
CVE-2023-27997 is a severe pre-authentication remote code execution (RCE) vulnerability in FortiOS SSL-VPN that was actively exploited in the wild prior to Fortinet’s patch release in mid-2023.
The flaw allowed attackers to execute arbitrary code on vulnerable devices without needing valid credentials, and was leveraged in real-world attacks targeting government entities, service providers, and large enterprises.
The new symlink-based technique to exploit CVE-2023-27997 is significant because it defies the assumption that patching a vulnerability fully removes the risk. Even if an organization applied the patch, a threat actor who had already compromised the device could quietly retain their access or reintroduce the vulnerability using this method.
Additionally, the new technique relies on manipulating file paths during boot via symlinks in directories that are typically overlooked, making it stealthy and easy to miss in routine checks.
Finally, devices that run FortiOS are often deployed in perimeter roles and usually don’t have endpoint detection agents installed on them, making it difficult to detect when they have been compromised.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices and software, including those developed by Fortinet. Field Effect MDR users are automatically notified if a vulnerable version of Fortinet software or device is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends that impacted users perform a firmware reinstallation in accordance with Fortinet’s advisory.
In addition to performing a clean firmware installation, organizations that believe they've previously been compromised due to the exploitation of CVE-2023-27997 should conduct a full forensic review of the affected device’s file system, paying particular attention to writable directories and any unexpected symlinks or modified binaries. Implementing strict file integrity monitoring can help detect unauthorized changes that may persist across reboots.
It's also critical to audit VPN access logs and system events for signs of lateral movement or ongoing attacker activity. Where possible, defenders should isolate potentially compromised devices from the broader network and revalidate all administrative credentials, particularly those used to manage appliances.
