In a sobering development for network security professionals worldwide, Fortinet has issued a detailed warning that advanced persistent threat (APT) actors have been exploiting previously disclosed vulnerabilities in FortiGate devices to maintain long-term access to compromised networks—even after patches were applied.
This chilling revelation underscores a long-standing concern in cybersecurity: patching is only one piece of the defense puzzle. According to Fortinet’s April 2025 threat report and a summary by The Hacker News, attackers are leveraging vulnerabilities like CVE-2022-42475, a critical heap-based buffer overflow bug in SSL VPNs, to implant malware and ensure sustained access.
From Exploitation to Persistence
The Fortinet threat intelligence team has documented a multi-stage operation where malicious actors gain initial access through outdated firmware, then implant root-level shell scripts, web shells, and other persistence mechanisms into FortiGate firewalls. These aren’t fly-by-night operations. We’re talking about stealthy, highly skilled threat groups with the tools and patience to lay low until reactivated.
Once inside, these attackers aren’t simply sniffing around—they’re moving laterally across networks, harvesting credentials, and pivoting to more valuable internal assets. In some cases, the malware persists even after the device firmware is updated, creating a dangerous false sense of security for IT admins who thought they had neutralized the threat.
Advanced TTPs on Display
This campaign isn’t just notable for its initial entry point. It’s the threat actors’ post-exploitation tactics, techniques, and procedures (TTPs) that elevate this to a whole new level. Fortinet’s analysis reveals the use of:
- Custom backdoors that blend in with legitimate system files
- Tampered SSH daemons to enable silent login without triggering logs
- Fileless techniques to maintain stealth and persistence
This isn’t theoretical. Fortinet has shared Indicators of Compromise (IoCs) and malware traces to help defenders uncover latent threats in their networks.
What You Should Do Now
If you manage FortiGate devices, don’t just update your firmware and call it a day. Fortinet urges users to conduct thorough forensic reviews and implement threat hunting operations across the network. Their advisory includes IoCs, suspicious filenames, and guidance on reverse shell activity.
Also, monitor outbound traffic, inspect logs for unauthorized root access, and enforce MFA wherever possible. This isn’t just about patching vulnerabilities—it’s about finding and evicting digital squatters who may already be inside your infrastructure.
