Fortinet has issued a warning regarding ongoing attacks that exploit known vulnerabilities in its FortiOS and FortiProxy products.

The vulnerabilities being targeted include CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, which allow unauthorized access to FortiGate devices.

Reports indicate that a threat actor is selling a zero-day exploit for Fortinet's FortiGate firewalls, which can be exploited remotely without requiring authentication.

Attackers are employing a method that involves creating a symbolic link to evade detection and maintain access even after patches have been applied.

This exploit provides attackers with full control over vulnerable devices, enabling them to access sensitive FortiOS configuration files and extract credentials and firewall policies.

Cybersecurity firm ThreatMon alerted the public about this exploit being advertised on a dark web forum over the weekend.

Only configurations with SSL-VPN enabled are affected, and Fortinet has provided mitigations, including an AV/IPS signature to detect and remove the symbolic link.

Both Fortinet and the Cybersecurity and Infrastructure Security Agency (CISA) are urging users to update to specific versions of FortiOS to eliminate the malicious link and protect against exploitation.