Tuesday, May 6, 2025
HomeCyber Security NewsOver 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit

Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit

Published on

SIEM as a Service

Follow Us on Google News

A major cyberattack has compromised more than 17,000 Fortinet devices globally, exploiting a sophisticated symbolic link persistence technique.

The incident marks a rapid escalation from early reports, which initially identified approximately 14,000 affected devices just days ago. Security experts believe the number may continue to rise as investigations progress, as reported by Cyber Security News.

The cyberattack targets previously disclosed vulnerabilities in Fortinet’s widely used FortiGate products, including critical flaws identified in recent years.

- Advertisement - Google News

After breaching the devices, attackers leveraged a symbolic link (symlink) trick: by linking the user filesystem to the root filesystem—specifically within a directory used by the SSL-VPN language files—they maintained illicit, read-only access to sensitive system files and configurations.

Crucially, this malicious symlink was stored in the user filesystem, an area not typically wiped out during routine firmware updates.

Devices Impacted
Devices Impacted

That means even organizations that have patched their devices for the original vulnerabilities may remain exposed if the symlink persists.

The attack’s scope is alarming. From April 11 to April 16, 2025, the count of compromised devices surged from 14,000 to over 17,009.

Asia is the hardest hit, accounting for about half of the affected systems, followed by Europe and North America. South America, Africa, and Oceania have reported smaller, but still notable, numbers.

Security officials caution that compromised systems could expose configuration files, user credentials, and cryptographic keys.

Some breaches appear to trace back to 2023, indicating the campaign may have operated undetected for months.

Fortinet’s Response and Security Guidance

Fortinet has started direct notifications to affected customers and rolled out multiple FortiOS updates (including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16).

These updates aim to detect and remove the malicious symlinks, and to prevent recurrence of similar attacks.

However, cybersecurity authorities have stressed that software patching alone is not enough. They recommend organizations:

  • Isolate compromised devices from production networks
  • Conduct thorough forensic investigations
  • Reset all passwords, credentials, and cryptographic keys

Devices with SSL-VPN functionality disabled are not believed to be at risk from this specific attack vector.

This incident highlights the evolving tactics of cybercriminals, who not only exploit vulnerabilities quickly but also establish mechanisms to survive standard remediation.

The persistence of these attacks, even after patching, poses a serious, ongoing threat—particularly to organizations responsible for critical infrastructure.

Experts warn that as investigations continue, comprehensive vigilance, prompt patching, and deep system inspections are essential to mitigate lingering risks and to prevent future breaches.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations,...

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search...

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider,...