Cyber Security News

Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit

A major cyberattack has compromised more than 17,000 Fortinet devices globally, exploiting a sophisticated symbolic link persistence technique.

The incident marks a rapid escalation from early reports, which initially identified approximately 14,000 affected devices just days ago. Security experts believe the number may continue to rise as investigations progress, as reported by Cyber Security News.

The cyberattack targets previously disclosed vulnerabilities in Fortinet’s widely used FortiGate products, including critical flaws identified in recent years.

After breaching the devices, attackers leveraged a symbolic link (symlink) trick: by linking the user filesystem to the root filesystem—specifically within a directory used by the SSL-VPN language files—they maintained illicit, read-only access to sensitive system files and configurations.

Crucially, this malicious symlink was stored in the user filesystem, an area not typically wiped out during routine firmware updates.

Devices ImpactedDevices Impacted
Devices Impacted

That means even organizations that have patched their devices for the original vulnerabilities may remain exposed if the symlink persists.

The attack’s scope is alarming. From April 11 to April 16, 2025, the count of compromised devices surged from 14,000 to over 17,009.

Asia is the hardest hit, accounting for about half of the affected systems, followed by Europe and North America. South America, Africa, and Oceania have reported smaller, but still notable, numbers.

Security officials caution that compromised systems could expose configuration files, user credentials, and cryptographic keys.

Some breaches appear to trace back to 2023, indicating the campaign may have operated undetected for months.

Fortinet’s Response and Security Guidance

Fortinet has started direct notifications to affected customers and rolled out multiple FortiOS updates (including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16).

These updates aim to detect and remove the malicious symlinks, and to prevent recurrence of similar attacks.

However, cybersecurity authorities have stressed that software patching alone is not enough. They recommend organizations:

  • Isolate compromised devices from production networks
  • Conduct thorough forensic investigations
  • Reset all passwords, credentials, and cryptographic keys

Devices with SSL-VPN functionality disabled are not believed to be at risk from this specific attack vector.

This incident highlights the evolving tactics of cybercriminals, who not only exploit vulnerabilities quickly but also establish mechanisms to survive standard remediation.

The persistence of these attacks, even after patching, poses a serious, ongoing threat—particularly to organizations responsible for critical infrastructure.

Experts warn that as investigations continue, comprehensive vigilance, prompt patching, and deep system inspections are essential to mitigate lingering risks and to prevent future breaches.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

5 minutes ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

1 hour ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

2 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

2 hours ago

CISA Warns of Cyber Threats to Oil and Gas SCADA and ICS Networks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning critical infrastructure…

2 hours ago

Russian Company Gains Full Control Over Critical Open Source Easyjson Library

A startling discovery by Hunted Labs has brought to light a potential security risk lurking…

3 hours ago