Malicious activity due to previously exploited vulnerabilities in Fortinet FortiOS products

12:11pm, 11 April 2025

TLP Rating: Clear

Malicious activity due to previously exploited vulnerabilities in Fortinet FortiOS products

The NCSC would like to draw your attention to new information about previous exploitation of vulnerabilities in Fortinet FortiOS products: (CVE-2022-42474, CVE-2023-27997 and CVE-2024-21762).

Widespread exploitation has been identified dating back to as early as 2023, where a threat actor has been able to compromise vulnerable devices and maintain persistence even after patches were applied. The compromise may have allowed the actor to access sensitive files from compromised devices including credentials and key material.

What's happening

Systems affected

FortiOS products that had SSL-VPN functionality exposed during time of compromise (exploitation dates back to as early as 2023).

What this means

Threat actor has been able to compromise vulnerable devices and maintain persistence. The compromise may have allowed the actor to access sensitive files from compromised devices including credentials and key material.

What to look for

How to tell if you're at risk

If you are using FortiOS products that had SSL-VPN functionality exposed during time of compromise (exploitation dates back to as early as 2023).

What to do

Prevention

Upgrade all devices to 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16.

Review the configuration of all devices.

Treat all configuration as potentially compromised and follow the recommended steps below to recover: Technical Tip: Recommended steps to execute in cas... - Fortinet Community External Link

In addition to this, please refer to the vendor advisory for further information about the exploitation: Analysis of Threat Actor Activity | Fortinet Blog External Link .