![[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWn65wd33dg2uO99NrtKbpYLfcepwOLidQDMls0HXKlA91k6HURluRA4WXgJRAZldEe1VReMQZyyYt1PgnoAn5JPpILsWlXIzmrBSs_TBoyPwO7hZrWouBg2-O3mdeoeSGY-l9_bsZB7vbpKjTSvG93zNytjxgTaMPqo9iq9Z5pGa05CJOs9uXpwHFT4/s1600/ai-cyber.jpg?#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Rogue Company Elite tier list of best characters [April 2025]](https://media.pocketgamer.com/artwork/na-33136-1657102075/rogue-company-ios-android-tier-cover.jpg?#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![What’s new in Android’s April 2025 Google System Updates [U: 4/18]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/01/google-play-services-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit
17,000+ Fortinet devices worldwide have been compromised in a sophisticated cyberattack that leverages a symbolic link persistence technique, according to new findings from Shadowserver. The number of affected devices has climbed from an initial report of 14,000 to 17,000, with the figure expected to rise as investigations continue. The attack exploits previously known vulnerabilities in […] The post 17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit appeared first on Cyber Security News.
17,000+ Fortinet devices worldwide have been compromised in a sophisticated cyberattack that leverages a symbolic link persistence technique, according to new findings from Shadowserver.
The number of affected devices has climbed from an initial report of 14,000 to 17,000, with the figure expected to rise as investigations continue.
The attack exploits previously known vulnerabilities in Fortinet’s FortiGate devices, including several critical flaws that have been publicly documented in recent years.
After gaining initial access, the threat actors implemented a symbolic link (symlink) connecting the user filesystem to the root filesystem in a folder used to serve language files for the SSL-VPN feature.
This symlink allowed attackers to maintain read-only access to sensitive files and configurations on compromised devices. The modification was made in the user filesystem, which is not typically overwritten during standard firmware updates.
The graph illustrates the rapid surge in compromised Fortinet devices across different regions between April 11 and April 16, 2025.
Asia is the most heavily impacted, accounting for roughly half of the total cases, followed by Europe and North America, which together represent a significant portion of the affected devices. South America, Africa, and Oceania show much smaller numbers in comparison.
The total number of impacted devices surpasses 17,009, with the majority of the increase occurring within just a few days, highlighting both the global scale and the sudden escalation of this symbolic link attack.
As a result, even after organizations patched their devices to address the original vulnerabilities, the malicious symlink could remain, providing attackers with persistent access.
Security authorities warn that the attackers’ access could include sensitive configuration files, credentials, and cryptographic keys. In some cases, the compromise may have begun as early as 2023, suggesting that the campaign has operated undetected for a significant period.
Fortinet’s Response and Recommendations
Fortinet has responded by directly notifying affected customers and releasing updates for multiple versions of FortiOS.
These updates are designed to detect and remove the malicious symlinks and prevent similar persistence techniques in the future. The company urges all customers to upgrade to the latest FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16.
However, cybersecurity agencies emphasize that patching alone may not be sufficient. Organizations are strongly advised to:
- Isolate compromised devices from their networks
- Conduct a thorough forensic investigation to determine the extent of the breach
- Reset all authentication credentials and secrets that may have been exposed
Devices that have never enabled SSL-VPN functionality are not believed to be affected by this specific attack vector.
This incident underscores a troubling trend in cyberattacks: threat actors are not only rapidly exploiting known vulnerabilities but are also embedding persistence mechanisms that can survive standard remediation efforts.
The ability to maintain access even after patches are applied poses a significant long-term risk, particularly for organizations managing critical infrastructure.
As investigations continue, security experts urge organizations to remain vigilant, ensure all devices are fully patched, and review system configurations for any signs of unauthorized changes or lingering persistence mechanisms.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post 17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit appeared first on Cyber Security News.
