This advisory highlights a critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products that is being actively exploited in the wild. The flaw allows unauthenticated remote code execution via the SSL VPN interface, potentially giving attackers full control over affected devices. With multiple versions impacted across FortiOS and FortiProxy, and threat actors reportedly selling related exploits on dark web forums, the risk of widespread exploitation is high. Fortinet strongly urges immediate patching and additional mitigation steps, making this advisory crucial for organisations relying on Fortinet products to secure their networks.
In April 2025, a threat actor has reportedly advertised what they claimed to be a Fortinet FortiGate firewall zero-day exploit on a dark web forum, intensifying concerns across the cyber security community.
The actor advertised that the exploit targeted FortiOS version 7.4.2 and allowed unauthenticated remote code execution, offering capabilities to extract administrative and user credentials, Firewall policies and network configurations, MFA secrets, certificates and other sensitive data from vulnerable systems. Coinciding with this dark web listing, Fortinet released a security advisory and blog post detailing an ongoing campaign that had been exploiting multiple previously patched vulnerabilities - specifically CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 - to gain and maintain access to FortiOS and FortiProxy devices. These attacks were observed to be highly targeted and methodical, involving the creation of symbolic links within system directories used by the SSL VPN daemon to establish persistence with read-only access, enabling attackers to repeatedly collect data without detection.
Affected versions include FortiOS 6.4.0 through 6.4.13, 7.0.0 through 7.0.13, 7.2.0 through 7.2.6, and 7.4.0 through 7.4.2, as well as corresponding FortiProxy versions. Fortinet’s analysis suggests the threat actor leveraged the SSL VPN feature to pivot into internal systems after initial exploitation, possibly as part of an APT-style campaign characterized by stealth, custom tooling, and infrastructure segmentation. In response, Fortinet has urged customers to upgrade to patched versions - 6.4.16, 7.0.17, 7.2.11, 7.4.7 and 7.6.2 and implement recommended mitigations including disabling the SSL VPN service if not in use, restricting administrative access. Upgrading to these versions will remove the malicious symbolic link.
While Fortinet has not yet confirmed whether Threat Actor’s claimed exploit represents a novel vulnerability or is related to the aforementioned CVEs, the alignment in timing strongly suggests that real-world attacks may have inspired or coincided with the sale. This convergence between underground marketplace activity and active exploitation once again highlights the importance of rapid patch management, threat hunting, and behavioural monitoring, especially for edge-facing infrastructure.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.