Massive Hack Hits 17,000+ Fortinet Devices Through Symlink Vulnerability

A major cyberattack has compromised over 17,000 Fortinet devices worldwide.

The attackers exploited a symbolic link (symlink) persistence technique that allows attackers to retain access even after organizations patched the original vulnerabilities.

The attack, first detected by the Shadowserver Foundation, has rapidly escalated, with the number of affected devices rising from 14,000 to more than 17,000 in just days, and is expected to grow as investigations continue.

Attack Overview

• Vulnerabilities Exploited: Attackers leveraged several previously known critical flaws in Fortinet’s FortiGate devices, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, to gain initial access.
• Persistence Mechanism: After breaching a device, the attackers created a symlink in the user filesystem, connecting it to the root filesystem within a folder used by the SSL-VPN feature for language files.
• This symlink, placed in an area not typically overwritten during firmware updates, allowed persistent, read-only access to sensitive files, configurations, credentials, and cryptographic keys—even after patches were applied.
• Detection Challenges: The symlink exploit evaded standard detection and remediation processes, enabling attackers to maintain access undetected for months or even years. Some compromises may date back to early 2023.

Scope and Impact

• Geographic Spread: Asia is the most heavily impacted region, accounting for roughly half of all known compromised devices. Europe and North America also report significant numbers, while South America, Africa, and Oceania have fewer cases.
• Device Exposure: Over 17,000 devices are confirmed compromised, with the majority of new cases detected within a few days, highlighting the rapid and global scale of the attack.
• Persistence Risk: Even after patching, the symlink can remain, granting attackers ongoing access to device configurations and sensitive data. Devices that never enabled SSL-VPN are not believed to be affected by this specific vector.

Fortinet’s Response

• Customer Notifications: Fortinet has directly notified affected customers, urging urgent action.
• Firmware Updates: The company released FortiOS updates (versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16) that detect and remove the malicious symlink and prevent similar persistence techniques in the future.
• AV/IPS Signatures: New antivirus and intrusion prevention system (AV/IPS) signatures have been issued to help identify and remove the symlink from compromised devices.

Security Agency Guidance

Authorities and security experts warn that patching alone is insufficient for remediation. Organizations are strongly advised to:

• Isolate compromised devices from their networks immediately.
• Conduct thorough forensic investigations to determine the extent of the breach.
• Reset all authentication credentials, secrets, and certificates that may have been exposed.
• Treat all device configurations as potentially compromised and review for unauthorized changes.
• Consider disabling SSL-VPN functionality until full remediation is confirmed.

Broader Implications

This incident underscores a troubling trend: attackers are exploiting known vulnerabilities rapidly and embedding persistence mechanisms that can survive standard security updates and remediation efforts.

The ability to maintain access after patching poses a significant long-term risk, especially for organizations managing critical infrastructure.

Summary Table: Key Details

Aspect	Details
Devices Compromised	17,000+ and rising
Main Regions Affected	Asia (most), Europe, North America
Attack Technique	Symlink in SSL-VPN language files folder for persistence
Vulnerabilities Used	CVE-2022-42475, CVE-2023-27997, CVE-2024-21762
Data at Risk	Configurations, credentials, cryptographic keys
Fortinet Response	Firmware updates, AV/IPS signatures, direct customer notifications
Security Recommendations	Isolate devices, forensic investigation, reset all credentials/secrets
Devices Not Affected	Those without SSL-VPN enabled

Organizations are urged to remain vigilant, ensure all devices are fully patched, and proactively review system configurations for signs of unauthorized changes or lingering persistence mechanisms.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Massive Hack Hits 17,000+ Fortinet Devices Through Symlink Vulnerability appeared first on Cyber Security News.