West Houston, TX – April 15, 2025 — Impress IT Solutions is issuing a critical advisory to all businesses in the West Houston area utilizing Fortinet FortiGate firewalls, following new revelations that attackers may retain access even after known vulnerabilities are patched.

Despite applying updates for past Fortinet flaws — including CVE-2022-42475CVE-2023-27997, and CVE-2024-21762 — threat actors have found a way to maintain read-only access to FortiGate devices by exploiting a symbolic link vulnerability (aka symlink) via the SSL-VPN feature.

“This is a wake-up call for organizations that believe patching alone guarantees security,” said a cybersecurity expert from Impress IT Solutions. “In this case, attackers left behind persistent artifacts that continued to expose device configurations even after patches were applied.”

The vulnerability centers around symbolic links created between user and root file systems, specifically in directories used for FortiGate’s SSL-VPN language files. These symlinks gave hackers continued access to sensitive file structures, such as configuration files—even post-patch.

Who’s Affected?

  • Only organizations that had SSL-VPN enabled are at risk.
  • Fortinet has not attributed the campaign to a specific threat actor or region.
  • Businesses affected were notified directly, but others may still be unknowingly vulnerable.

Updated FortiOS Versions Provide Mitigation:

Fortinet has released several updates to combat the threat:

  • FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16 – Symlinks are now flagged and automatically removed, and UI changes prevent future symlink abuse.

Impress IT Solutions strongly urges clients to:

  • Upgrade FortiGate devices to the latest FortiOS versions
  • Review all configurations
  • Treat existing device settings as potentially compromised
  • Reset any exposed credentials
  • Consider temporarily disabling SSL-VPN until full remediation is confirmed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and France’s CERT-FR have issued warnings, confirming that compromises may date as far back as early 2023. Additionally, security researchers have raised concerns about attackers deploying backdoors designed to survive even factory resets.

“We’re seeing a new level of persistence,” said Benjamin Harris, CEO of watchTowr. “Attackers know organizations depend on patching and resets—so they’re building exploits that outlast those efforts.”

Impress IT Solutions provides:

  • FortiGate security audits
  • Firewall hardening and configuration cleanup
  • Advanced threat detection
  • Backup and recovery support

🔐 Don’t Wait for a Breach

If your company uses FortiGate devices—or if you’re unsure of your current exposure—schedule a vulnerability assessment with Impress IT Solutions today. West Houston businesses trust us to keep their firewalls, endpoints, and users secure from evolving threats.

Network Security

Fortify your business against cyber threats with cutting-edge solutions tailored for robust defense and peace of mind.