Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit

A major cyberattack has compromised more than 17,000 Fortinet devices globally, exploiting a sophisticated symbolic link persistence technique.

The incident marks a rapid escalation from early reports, which initially identified approximately 14,000 affected devices just days ago. Security experts believe the number may continue to rise as investigations progress, as reported by Cyber Security News.

The cyberattack targets previously disclosed vulnerabilities in Fortinet’s widely used FortiGate products, including critical flaws identified in recent years.

After breaching the devices, attackers leveraged a symbolic link (symlink) trick: by linking the user filesystem to the root filesystem—specifically within a directory used by the SSL-VPN language files—they maintained illicit, read-only access to sensitive system files and configurations.

Crucially, this malicious symlink was stored in the user filesystem, an area not typically wiped out during routine firmware updates.

That means even organizations that have patched their devices for the original vulnerabilities may remain exposed if the symlink persists.

The attack’s scope is alarming. From April 11 to April 16, 2025, the count of compromised devices surged from 14,000 to over 17,009.

Asia is the hardest hit, accounting for about half of the affected systems, followed by Europe and North America. South America, Africa, and Oceania have reported smaller, but still notable, numbers.

Security officials caution that compromised systems could expose configuration files, user credentials, and cryptographic keys.

Some breaches appear to trace back to 2023, indicating the campaign may have operated undetected for months.

Fortinet’s Response and Security Guidance

Fortinet has started direct notifications to affected customers and rolled out multiple FortiOS updates (including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16).

These updates aim to detect and remove the malicious symlinks, and to prevent recurrence of similar attacks.

However, cybersecurity authorities have stressed that software patching alone is not enough. They recommend organizations:

• Isolate compromised devices from production networks
• Conduct thorough forensic investigations
• Reset all passwords, credentials, and cryptographic keys

Devices with SSL-VPN functionality disabled are not believed to be at risk from this specific attack vector.

This incident highlights the evolving tactics of cybercriminals, who not only exploit vulnerabilities quickly but also establish mechanisms to survive standard remediation.

The persistence of these attacks, even after patching, poses a serious, ongoing threat—particularly to organizations responsible for critical infrastructure.

Experts warn that as investigations continue, comprehensive vigilance, prompt patching, and deep system inspections are essential to mitigate lingering risks and to prevent future breaches.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!