Saturday, May 24, 2025
HomeCyber Security NewsOver 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit

Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit

Published on

SIEM as a Service

Follow Us on Google News

A major cyberattack has compromised more than 17,000 Fortinet devices globally, exploiting a sophisticated symbolic link persistence technique.

The incident marks a rapid escalation from early reports, which initially identified approximately 14,000 affected devices just days ago. Security experts believe the number may continue to rise as investigations progress, as reported by Cyber Security News.

The cyberattack targets previously disclosed vulnerabilities in Fortinet’s widely used FortiGate products, including critical flaws identified in recent years.

- Advertisement - Google News

After breaching the devices, attackers leveraged a symbolic link (symlink) trick: by linking the user filesystem to the root filesystem—specifically within a directory used by the SSL-VPN language files—they maintained illicit, read-only access to sensitive system files and configurations.

Crucially, this malicious symlink was stored in the user filesystem, an area not typically wiped out during routine firmware updates.

Devices Impacted
Devices Impacted

That means even organizations that have patched their devices for the original vulnerabilities may remain exposed if the symlink persists.

The attack’s scope is alarming. From April 11 to April 16, 2025, the count of compromised devices surged from 14,000 to over 17,009.

Asia is the hardest hit, accounting for about half of the affected systems, followed by Europe and North America. South America, Africa, and Oceania have reported smaller, but still notable, numbers.

Security officials caution that compromised systems could expose configuration files, user credentials, and cryptographic keys.

Some breaches appear to trace back to 2023, indicating the campaign may have operated undetected for months.

Fortinet’s Response and Security Guidance

Fortinet has started direct notifications to affected customers and rolled out multiple FortiOS updates (including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16).

These updates aim to detect and remove the malicious symlinks, and to prevent recurrence of similar attacks.

However, cybersecurity authorities have stressed that software patching alone is not enough. They recommend organizations:

  • Isolate compromised devices from production networks
  • Conduct thorough forensic investigations
  • Reset all passwords, credentials, and cryptographic keys

Devices with SSL-VPN functionality disabled are not believed to be at risk from this specific attack vector.

This incident highlights the evolving tactics of cybercriminals, who not only exploit vulnerabilities quickly but also establish mechanisms to survive standard remediation.

The persistence of these attacks, even after patching, poses a serious, ongoing threat—particularly to organizations responsible for critical infrastructure.

Experts warn that as investigations continue, comprehensive vigilance, prompt patching, and deep system inspections are essential to mitigate lingering risks and to prevent future breaches.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...