FortiOS SSL-VPN Patch Bypass Vulnerability Disclosed by Fortinet
Fortinet disclosed a vulnerability in FortiOS SSL-VPN that allows attackers to bypass a patch for a symbolic link persistence mechanism via crafted HTTP requests.
Fortinet has disclosed a new vulnerability, tracked as FG-IR-25-934, affecting FortiOS SSL-VPN that could allow a remote unauthenticated attacker to bypass a patch for a symbolic link persistence mechanism. The vulnerability, rated CVSS 5.3, is classified as an exposure of sensitive information to an unauthorized actor (CWE-200).
The issue arises from a symbolic link persistency mechanism observed in some post-exploit cases. An attacker who has already compromised a FortiGate device at the filesystem level via another vulnerability can exploit this flaw to bypass the existing patch and gain unauthorized access to sensitive information. The attack is carried out through crafted HTTP requests targeting the SSL-VPN component.
Fortinet has released patches for multiple affected versions. FortiOS 7.6.0 through 7.6.1 should be upgraded to 7.6.2 or above, and FortiOS 7.4.0 through 7.4.6 should be upgraded to 7.4.7 or above. For FortiOS 7.2 and 7.0, all versions are affected, and users must migrate to a fixed release. Similarly, FortiOS 6.4 all versions require migration. Products that never had SSL-VPN enabled are not impacted.
A virtual patch named 'FG-VD-60389.0day' is available in the FortiManager Web Panel (FMWP) database update 26.033. Fortinet also acknowledged Peter Gabaldon from ITRESIT for reporting the vulnerability under responsible disclosure.
This vulnerability highlights the importance of defense-in-depth, as it can only be exploited after an initial compromise. Organizations running FortiGate devices with SSL-VPN enabled should prioritize patching and ensure that no other vulnerabilities are left unaddressed.