In this week’s TL;DR we’re focusing on stories that revolve around remote working security, specifically Fortinet’s work to secure their FortiGate solution, typically used by remote workers as a remote access solution, as well as recent studies on the actual risk level of remote access solutions.
FortiGate vulnerabilities post-patch
Fortinet has issued a critical warning regarding a persistent threat affecting FortiGate firewalls, even after organizations have applied patches for known vulnerabilities. Attackers are exploiting a symlink (symbolic link) technique within the SSL-VPN feature to maintain unauthorized, read-only access to compromised devices.
The attackers initially leverage previously disclosed and patched vulnerabilities, such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, to gain access. Once inside, they create a symbolic link that connects the user file system to the root file system in a directory used for serving language files in the SSL-VPN component. This symlink persists even after the original Fortinet vulnerabilities are patched, allowing attackers to retain access without detection.
This method is particularly insidious because it operates within the user file system, which is typically not scrutinized during standard patching processes. As a result, the malicious symlink remains intact, providing a stealthy backdoor for attackers. The access retained is read-only, but it still poses significant risks, including the potential for data exfiltration and reconnaissance.
Fortinet emphasizes that patching alone is insufficient to remediate these vulnerabilities. Organizations must conduct thorough forensic analyses of their FortiGate devices. Importantly, identifying and remove any unauthorized symlinks or other residual artifacts left by attackers.
Fortinet post-patch TL;DR
Fortinet warns that attackers are using a stealthy symlink trick in FortiGate firewalls’ SSL-VPN to retain read-only access even after patching. This persistence method survives updates, prompting Fortinet to urge forensic checks beyond standard patching.
Remote access infrastructure is majorly exploited
Remote access infrastructure continues to be the most exploited attack surface in corporate environments, according to recent findings from cyber insurer Coalition. Systems such as VPNs, remote desktop software, and firewall appliances are increasingly targeted by threat actors—particularly ransomware groups like Black Basta—due to their often weak security configurations.
Many of these attacks begin with compromised login panels exposed to the public internet. This allows adversaries to brute-force credentials or use stolen ones to gain unauthorized access. Coalition’s report reveals that two-thirds of companies have at least one exposed login panel. This triples their likelihood of suffering a ransomware attack.
Notably, 45% of ransomware claims involved VPN appliances, while 23% were linked to remote desktop tools. Devices from vendors such as Cisco, Fortinet, and Citrix are frequent points of entry. Many victims lacked robust security controls such as multifactor authentication (MFA), making it easier for attackers to gain privileged access. To reduce these risks, experts recommend a layered defense strategy. This means patching and updating devices promptly, enforcing phishing-resistant MFA, and adopting zero-trust principles. These measures can significantly shrink the attack surface and improve organizational resilience against modern cyber threats.
Remote access infrastructure TL;DR
Remote access tools like VPNs and remote desktops are prime targets for ransomware attacks. Often this is due to exposed login panels and weak security. Coalition reports two-thirds of companies face this risk. Experts urge regular patching, MFA, and zero-trust security to reduce exposure.
Conclusion
These stories showcase the vulnerabilities that remote access solutions and remote working can pose if not secured correctly. Get in touch to learn how ThinScale can help keep your endpoint environment secured for remote and hybrid working.
