In a significant cybersecurity incident, more than 17,000 Fortinet devices worldwide have been compromised through a sophisticated attack leveraging a symbolic link (symlink) persistence technique. This development, reported by Shadowserver, marks a substantial increase from initial estimates of 14,000 affected devices, with numbers expected to rise as investigations continue.
Exploitation of Known Vulnerabilities
The attackers exploited previously identified vulnerabilities in Fortinet’s FortiGate devices, including critical flaws that have been publicly documented in recent years. After gaining initial access, they implemented a symlink connecting the user filesystem to the root filesystem within a directory used for serving language files for the SSL-VPN feature. This manipulation allowed the attackers to maintain read-only access to sensitive files and configurations on the compromised devices. Notably, this modification was made in the user filesystem, which is typically not overwritten during standard firmware updates, enabling the persistence of the malicious symlink even after patches were applied.
Global Impact and Timeline
The attack has had a global reach, with Asia being the most heavily impacted region, accounting for approximately half of the total cases. Europe and North America also represent significant portions of the affected devices. The rapid escalation of compromised devices, from 14,000 to over 17,000 within a few days, underscores the severity and speed of this attack. Evidence suggests that some compromises may have begun as early as 2023, indicating that the campaign has operated undetected for a considerable period.
Fortinet’s Response and Recommendations
In response to this incident, Fortinet has directly notified affected customers and released updates for multiple versions of FortiOS. These updates are designed to detect and remove the malicious symlinks and prevent similar persistence techniques in the future. The company urges all customers to upgrade to the latest FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16.
However, cybersecurity agencies emphasize that patching alone may not be sufficient. Organizations are strongly advised to:
– Isolate compromised devices from their networks.
– Conduct thorough forensic investigations to determine the extent of the breach.
– Reset all authentication credentials and secrets that may have been exposed.
Devices that have never enabled SSL-VPN functionality are not believed to be affected by this specific attack vector.
Broader Context of Fortinet Device Compromises
This incident is part of a troubling trend of cyberattacks targeting Fortinet devices. In previous years, Chinese state-sponsored hackers exploited a critical FortiOS/FortiProxy remote code execution vulnerability (CVE-2022-42475) to deploy malware on vulnerable FortiGate network security appliances. The Dutch Military Intelligence and Security Service (MIVD) reported that during this campaign, at least 20,000 FortiGate devices worldwide were compromised over a few months between 2022 and 2023. The attackers used a remote access trojan (RAT) known as Coathanger, which could survive system reboots and firmware upgrades, providing persistent access to the compromised systems.
Furthermore, in January 2025, a threat actor known as the Belsen Group published sensitive data from over 15,000 FortiGate devices on the dark web. The leaked data included critical security configurations, VPN credentials, and IP addresses, posing substantial risks to the affected organizations’ network infrastructure and data security. Security researcher Kevin Beaumont confirmed the authenticity of the leak, noting that devices listed in the dump were verifiable through their unique serial numbers.
Implications and Recommendations
These incidents underscore the critical importance of timely patching and comprehensive security measures. Organizations using Fortinet devices should:
– Regularly update their systems to the latest firmware versions.
– Conduct regular security audits to detect unauthorized changes or persistence mechanisms.
– Implement robust monitoring to identify and respond to suspicious activities promptly.
– Educate IT staff on the latest threat vectors and mitigation strategies.
The ability of threat actors to maintain access even after patches are applied poses a significant long-term risk, particularly for organizations managing critical infrastructure. As cyber threats continue to evolve, a proactive and comprehensive approach to cybersecurity is essential to safeguard sensitive information and maintain operational integrity.
