“The supreme art of war is to subdue the enemy without fighting.”
Sun Tzu
Turns out, the enemy didn’t even have to fight. The Fortinet symlink exploit gave them exactly what they needed: persistent access, no brute force required.
In this latest breach, attackers didn’t break in twice; they never left. Despite public patches, thisexploit has left customers exposed. What was supposed to be a cleanup turned out to be a cover-up, and now, we’re seeing the fallout.
The Sneaky Trick: Attackers used a symbolic link (symlink) inside a directory used for language files. It quietly connected the user and root filesystems, giving them read-only access.
The “Patch”: Fortinet issued updates but didn’t remove the malicious symlink. Result? Persistence. Even patched systems remained vulnerable.
The Big Caveat: If SSL-VPN was never enabled, you’re safe. But if it was, and you haven’t upgraded to very specific versions, your system might still be haunted.
Mitigation: Cleaning Up the Symlink Mess
Here’s what Fortinet did after the exploit resurfaced:
Created AV/IPS signatures to detect and clean the symlink
Rolled out updates in FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16
Hardened the SSL-VPN UI to block future symlink abuse
Still, this whole situation raises a bigger question: Why wasn’t this cleaned up in the first place?
Final Take: Patch Fast, Patch Right
The Fortinet symlink exploit shows what happens when patches are reactive, not proactive. Attackers didn’t need new vulnerabilities; they used a known one, better.
While Fortinet’s latest fixes improve the situation, the fact remains: Trust was breached. Again. And without aggressive cleanup, even “patched” systems can remain quietly compromised.
A patched hole doesn’t mean a clean house, especially when ghosts leave symlinks in your basement.
Imagine waking up to your organization’s security perimeter being compromised because of a critical authentication vulnerability exploited in the wild. That is exactly the threat that organizations face today, with recently found vulnerabilities in Fortinet FortiOS and FortiProxy, now highlighted by CISA as being actively exploited.
The Newest CISA Alert: What’s at Stake?
On March 18, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) included two Fortinet vulnerabilities in its Known Exploited Vulnerabilities Catalog with an urgent action recommendation. The vulnerabilities are a high-risk threat as they enable remote attackers to obtain super-admin privileges and completely bypass authentication controls.
Fortinet FortiOS and FortiProxy Authentication Bypass: CVE-2025-24472
Affected Versions:
FortiOS: 7.0.0 to 7.0.16
FortiProxy: 7.0.0 to 7.0.19, 7.2.0 to 7.2.12
Attack Method: CSF proxy requests with crafted requests
Severity: Critical (CVSS 9.8)
Risk: Permits unauthorized access, which allows complete takeover of impacted systems.
Malicious Code in tj-actions/changed-files GitHub Action: CVE-2025-30066
Problem: Attackers inserted malicious code into a commonly used GitHub Action.
Consequence: Possibility of supply chain attacks on CI/CD pipelines.
These are not theoretical threats; they are being exploited, so remediation is required urgently.
Why This Matters
Authentication bypass vulnerabilities are one of the most critical security vulnerabilities. They disable the first line of defense, enabling attackers to function as privileged users without credentials. The consequences are:
Unauthorized Access: Attackers can penetrate networks undetected.
Data Breach Risks: Sensitive data can be exfiltrated or tampered with.
Ransomware & Lateral Movement: Compromised systems can be used as entry points for further organizational attacks.
How to Protect Your Organization
CISA strongly urges all organizations to take the following action:
Apply Vendor Patches Immediately
Patches for these vulnerabilities have been issued by Fortinet. Organizations need to update their FortiOS and FortiProxy installations as soon as possible.
Implement Zero-Trust Principles
Treat each access request as possibly malicious.
Enforce robust authentication and access control practices.
Monitor for Indicators of Compromise (IoCs)
Audit logs regularly for suspicious activity.
Configure automated alerts for suspicious authentication attempts.
Secure Your CI/CD Pipelines
If utilizing GitHub Actions, inspect dependencies and limit untrusted third-party code.
Enforce strict repository access controls.
The Bigger Picture: Convenience vs. Security
This attack highlights a growing problem – security gaps created by prioritizing convenience over robust authentication. Organizations value ease of use, but frequently at the expense of strong authentication measures. Password-based security, even with MFA, remains susceptible to bypasses. A passwordless, zero-trust solution, such as PureAuth, provides a more resilient option by removing traditional authentication vulnerabilities.
Final Takeaway: Act Now, Stay Secure
This is not another security notice: It’s a wake-up call. Fortinet’s authentication bypass vulnerabilities are being exploited today, and the delay compounds the threat. Organizations have no choice but to patch ASAP, harden their authentication efforts, and revamp how they approach identity security.
In cybersecurity, delay is not an option. Proactive defense is the only way to go. Be ahead of the attackers, because they’re already ahead of you. #gopasswordless
A critical zero-day vulnerability in Fortinet’s Windows VPN client, FortiClient, has been exploited by a Chinese-linked threat actor known as BrazenBamboo. This flaw, reported by cybersecurity firm Volexity, remains unpatched, leaving organizations vulnerable to credential theft and espionage. The attackers employ a modular malware framework called DeepData, which specializes in extracting sensitive information from compromised systems.
The Vulnerability: Unresolved and Exploited
The FortiClient zero-day allows credentials, including usernames, passwords, and VPN server details, to persist in process memory after authentication. The DeepData malware exploits this vulnerability using a FortiClient plugin, leveraging the stored JSON objects in memory to exfiltrate data.
Key facts about the vulnerability:
Reported by Volexity: On July 18, 2024, and acknowledged by Fortinet on July 24, 2024.
Unpatched: No CVE assigned, and no fixes released to date.
Targeted Versions: The latest FortiClient versions, including v7.4.0, are affected.
BrazenBamboo developed a sophisticated post-exploitation tool called DeepData. It is modular, utilizing plugins to target a wide range of sensitive data.
Key Features:
Credential Theft: Extracts credentials from FortiClient and 18 other sources.
Application Surveillance: Collects data from communication apps like WeChat, WhatsApp, and Signal.
Web Browsing Data: Gathers cookies, history, and passwords from major browsers like Chrome and Firefox.
System Monitoring: Records audio, captures screenshots, and tracks installed software.
DeepData also integrates with another BrazenBamboo tool, DeepPost, to exfiltrate stolen data to command-and-control (C2) servers.
BrazenBamboo: A Persistent Threat
Volexity attributes DeepData’s development to BrazenBamboo, a Chinese state-sponsored group also linked to LightSpy and DeepPost malware. These tools have been used in campaigns targeting Southeast Asian journalists, activists, and politicians.
Notable Traits:
Multi-Platform Capability: Operates on Windows, macOS, iOS, and Android.
Infrastructure Overlap: Shared C2 servers and coding styles with other malware families.
Operational Longevity: Continues to evolve despite public exposure.
Mitigation Recommendations
Organizations should implement the following measures while waiting for a patch:
Restrict VPN Access: Limit access to trusted users and monitor login activity.
Detect Malicious Activity: Use available rules and indicators of compromise (IOCs) to identify threats.
Enhance System Security: Regularly audit memory for sensitive information and improve credential management practices.
Conclusion
The ongoing exploitation of Fortinet’s VPN client zero-day by BrazenBamboo underscores the urgency of addressing vulnerabilities promptly.
Proactive measures and modern solutions are the keys to staying resilient in an evolving cybersecurity landscape. It’s time for organizations to transition to secure-by-design platforms instead of relying on password and credential-based authentication. If something can be stolen, it will be. Using solutions like PureAuth for passwordless authentication and access management ensures your organization is safe and your data is secure by design and default. By eliminating passwords—a common attack vector—you can significantly enhance your security posture and stay ahead of sophisticated threats like BrazenBamboo. #gopasswordless
Fortinet recently experienced a data breach with 440GB of stolen files. This incident underscores the critical importance of securing data in third-party cloud environments. In this blog, we dive into the details of the Fortinet breach, its implications, and why moving towards passwordless authentication is an essential step for enhancing security.
The Fortinet Breach: A Detailed Overview
Fortinet, renowned for its comprehensive cybersecurity solutions, has confirmed a significant data breach. The hacker, using the name “Fortibitch,” claimed to have exploited an Azure SharePoint vulnerability to steal 440GB of data in this breach, dubbed “Fortileak“.
Credit: Hackread.com
How the Breach Happened
According to reports, the breach involved unauthorised access to Fortinet’s Azure SharePoint instance. The hacker provided credentials to an Amazon S3 bucket where the stolen data was allegedly stored. The leaked data included customer information and various corporate documents.
Fortinet confirmed the breach involved less than 0.3% of its customer base, affecting a limited number of files. The company assured stakeholders that there was no evidence of malicious activity affecting its operations or services. No ransomware was deployed, and Fortinet’s corporate network remained secure.
The Response from Fortinet
Fortinet acted swiftly to mitigate the impact of the breach. The company engaged in immediate containment measures, including terminating the unauthorised access and notifying affected customers. They also worked with law enforcement and cybersecurity agencies to address the situation.
In their update, Fortinet emphasised that the breach did not involve data encryption or ransomware. The company’s operations and financial performance remain unaffected, with no significant impact reported.
Key Takeaways and Security Lessons
This incident highlights several critical lessons for organisations:
1. Secure Cloud Environments
The Fortinet breach underscores the need for robust security measures around cloud-based environments. Companies must properly configure their cloud storage solutions and actively protect them against unauthorized access.
2. Implement Strong Access Controls
Using multi factor authentication (MFA) is minimum, but given the MFA are also getting bypassed, more secure authentication like PureAUTH is highly recommended
3. Continuous Monitoring and Response
Proactive monitoring of cloud assets and rapid response to security incidents are essential for minimising the impact of breaches. Organisations should have incident response plans in place to handle such situations effectively.
Embracing Passwordless Authentication for Enhanced Security
As demonstrated by the Fortinet breach, traditional security measures, including passwords and MFA, are increasingly inadequate. The shift towards passwordless authentication offers a more secure and resilient alternative.
Passwordless authentication solutions like PureAuth provide a breach-resilient architecture by leveraging advanced cryptography and just-in-time access. This approach significantly reduces the risk of third-party breaches and enhances overall security. Key benefits include:
Breach Resilience: PureAuth’s architecture is designed to withstand breaches by eliminating the reliance on passwords and minimising attack vectors.
Flexible Security Measures: We work with you to design fallback and recovery mechanisms, ensuring uninterrupted access to enterprise resources.
Ongoing Support: Comprehensive breach support is available to address any issues that arise.
Transitioning to passwordless authentication is no longer just a best practice but a necessity for enterprises aiming to protect critical assets. Passwords and traditional 2FA/MFA methods are becoming increasingly inefficient and insecure. Adopting a passwordless approach enhances security, simplifies access management, and aligns perfectly with modern cybersecurity needs.
Conclusion
The Fortinet data breach serves as a stark reminder of the evolving threats in the cybersecurity landscape. While Fortinet’s response has been commendable, organisations must take proactive steps to safeguard their data, especially in cloud environments. Moving towards passwordless authentication solutions like PureAuth offers a forward-thinking approach to security, addressing the limitations of traditional methods and providing a more resilient defence against breaches.
For enterprises looking to enhance their security posture, embracing passwordless authentication is not an option—it is a necessity. Ensure your organisation is equipped to handle the future of cybersecurity with advanced, breach-resilient solutions. #gopasswordless
