More than 16,000 Fortinet devices exposed to the internet have been compromised through a symlink backdoor, granting attackers persistent, read-only access to sensitive files. This vulnerability affects devices that were previously compromised and subsequently patched.
The Shadowserver Foundation initially reported 14,000 affected devices, but as of April 16, 2025, this number has risen to 16,620. The symlink backdoor enables attackers to maintain access even after devices have been updated to address the original vulnerabilities.
Fortinet disclosed that attackers exploited zero-day vulnerabilities in FortiOS starting in 2023. After gaining access, they created symbolic links in the language files directory, which is publicly accessible on devices with SSL-VPN enabled. These links point to the root file system, allowing persistent read-only access to sensitive files.
Fortinet has advised customers to upgrade to the latest FortiOS versions: 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. Administrators should also review device configurations for unexpected changes and reset potentially exposed credentials.
CERT-FR has reported a widespread campaign involving numerous compromised devices in France, with incidents occurring since early 2023. They recommend isolating affected VPN devices, resetting all credentials and cryptographic keys, and searching for signs of lateral movement within networks.
The Cybersecurity and Infrastructure Security Agency (CISA) urges organizations to report any related incidents to its 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.
