Over 16,000 Fortinet Devices Compromised with Stealth Symlink Backdoor

by | Apr 17, 2025 | News

Over 16,000 Fortinet Devices Compromised with Stealth Symlink Backdoor

Post Views: 35




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Threat Actors Maintain Persistent Access on Patched FortiGate Devices

Security researchers have detected 16,620 Fortinet devices compromised with a covert symbolic link backdoor, granting attackers persistent, read-only access to sensitive files—even on systems that were previously patched against the original vulnerabilities.

This alarming escalation in exposure was reported by The Shadowserver Foundation, a threat monitoring nonprofit. The figure marks a significant jump from the 14,000 compromised systems initially reported earlier this month.

What Happened?

According to Fortinet, the issue traces back to a persistence mechanism left behind by attackers who exploited zero-day vulnerabilities in FortiOS SSL-VPN systems between 2023 and early 2024.

“A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices,” said Fortinet.
“This was achieved via a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN.”

Key Details:

  • The symlink resides in a folder that serves language files, which is publicly accessible via SSL-VPN.

  • Once in place, the symlink allows remote read-only browsing of the root filesystem.

  • Because the modification is stored in the user filesystem, it persists even after patching the original vulnerability.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Impact and Exposure

Devices affected include FortiGate systems with SSL-VPN enabled that were previously compromised and later patched. However, due to the stealthy nature of the symlink, threat actors retain access to sensitive data such as:

  • Device configurations

  • User credentials

  • System files

These symlinks do not rely on new vulnerabilities, making detection and remediation particularly challenging.

Detection & Mitigation

Fortinet has released:

  • New AV/IPS signatures to detect and remove the malicious symlink.

  • Updated firmware that:

    • Removes the symbolic link if present

    • Blocks unknown folders and files from being served via the device’s webserver

Fortinet has also begun notifying affected customers privately by email based on detections by FortiGuard.

Emails sent to owners of compromised devicesEmails sent to owners of compromised devices
Source: BleepingComputer

Trending: Breaking Down Active and Passive Reconnaissance




Trending: Recon Tool: spoof_checker

Recommended Actions for Affected Admins

If your FortiGate device has been identified as compromised, Fortinet strongly recommends performing a full clean installation rather than relying on patching alone.

Reinstallation & Restoration

  1. Download the latest firmware from the Fortinet Support site.

  2. Verify firmware integrity using SHA512 checksums.
    See: Technical Tip – How to verify downloaded firmware checksum using SHA512.

  3. Format the device flash and perform a clean install using TFTP.
    See: Technical Tip – Loading a FortiGate firmware image using TFTP.

  4. After TFTP reinstallation, format the disk partition to fully remove potential remnants.
    See: Technical Tip – Standard procedure to format a FortiGate Log Disk.

Post-Restoration Hardening

  1. Do not reuse the existing configuration file unless it’s from a known clean backup.

  2. Reset all credentials, including:

    • Admin and local user accounts

    • VPN user credentials

    • RADIUS secrets

    • IPsec pre-shared keys (PSKs)

  3. Replace all certificates, and revoke any that may have been exposed.

  4. Change GUI admin port from the default (TCP 443) to a custom port.

  5. Restrict administrative logins to trusted IPs only.

  6. Disable GUI/CLI access on any Internet-facing interfaces.

  7. Perform administrative tasks on an out-of-band management network only.

  8. Enable two-factor authentication (2FA) across all admin accounts.

  9. Change any LDAP user credentials used for device authentication.

  10. Apply all recommendations in the FortiOS Hardening Guide.

  11. Immediately upgrade to the latest FortiOS version after restoring the config to ensure the device is not left exposed on older firmware.

Trending: New Neptune RAT Variant Spreads via YouTube and Telegram, Targets Windows Users

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This