⚡ Key Takeaways

Over 16,620 FortiGate firewalls worldwide were compromised through a symlink persistence technique that gives attackers read-only access to device configurations even after patching. The backdoor exploits SSL-VPN language file directories and has affected devices across six continents, with Asia (7,886), Europe (3,766), and North America (3,217) most impacted.

Bottom Line: Organizations running FortiGate with SSL-VPN enabled must upgrade to the latest FortiOS version, reset all VPN and LDAP credentials, and conduct forensic analysis for symlink artifacts immediately, as patching alone does not remove the backdoor.

Read Full Analysis ↓

Advertisement

🧭 Decision Radar

Relevance for Algeria
High
FortiGate firewalls are widely deployed across Algerian government agencies, telecom operators, and financial institutions. Any organization running SSL-VPN on FortiGate is potentially exposed.
Infrastructure Ready?
Partial
Most Algerian organizations have FortiGate deployments but lack the forensic capabilities to detect symlink persistence post-patch.
Skills Available?
Limited
Incident response and firmware forensics expertise is scarce in Algeria. Few security teams have the tooling to audit FortiOS filesystems for symlinks.
Action Timeline
Immediate
This is an active threat with confirmed exploitation. Patching and credential rotation must happen now, not in the next budget cycle.
Key Stakeholders
CISOs, network administrators, government IT directors
Decision Type
Tactical
This requires immediate operational response: verify firmware versions, scan for symlinks, rotate credentials, and consider disabling SSL-VPN until remediation is complete.

Quick Take: Algerian organizations using FortiGate with SSL-VPN enabled should treat this as an emergency. Upgrade to the latest FortiOS version, reset all VPN and LDAP credentials, and conduct forensic analysis for symlink artifacts. Patching alone is not enough; assume prior compromise and investigate accordingly.

The Patch That Did Not Close the Door

Fortinet disclosed in April 2025 that a threat actor had devised a novel post-exploitation technique to maintain persistent access to FortiGate devices long after the original vulnerabilities were patched. The initial compromise campaigns date back to 2023, leveraging three critical CVEs: CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. What made this attack exceptional was not the initial breach but what happened next: attackers created symbolic links inside the SSL-VPN language files directory that pointed to the device’s root filesystem. Because these language files are publicly accessible on SSL-VPN-enabled devices, the symlink gave attackers persistent read-only access to sensitive files, including device configurations, credentials, and certificates.

The Shadowserver Foundation confirmed that 16,620 internet-exposed FortiGate devices were compromised with this backdoor as of April 2025. The geographic breakdown reveals a global footprint: Asia led with 7,886 affected devices, followed by Europe at 3,766, North America at 3,217, South America at 1,054, Africa at 399, and Oceania at 298.

The technique exploits a design characteristic of FortiOS rather than a software bug. SSL-VPN-enabled FortiGate devices serve language files from a user-accessible directory. Attackers with prior access created a symbolic link within this directory pointing to the root filesystem. Because the symlink existed in the user filesystem rather than the system filesystem, standard patching and firmware updates did not remove it. The FortiOS integrity-checking mechanisms also failed to flag the modification, as the symlink resided in a space normally considered safe.

The result: even after administrators applied patches for the original CVEs, the symlink remained in place. Attackers could browse to the publicly accessible language file URL and traverse the symlink to read any file on the device, including running configurations with plaintext or hashed credentials, VPN user databases, and LDAP bind credentials.

This is not theoretical. The Canadian Centre for Cyber Security, French CERT, and CISA all issued advisories confirming active exploitation. In February 2026, researchers at ITRES Labs documented CVE-2025-68686, a double-slash technique that bypassed Fortinet’s initial symlink patch, extending the threat window further.

Advertisement

The Underlying Vulnerabilities

The three CVEs that enabled the initial compromise represent some of the most critical FortiOS flaws in recent years. CVE-2024-21762 is an out-of-bounds write vulnerability in FortiOS SSLVPNd with a CVSS score of 9.8, allowing remote unauthenticated attackers to execute arbitrary code via crafted HTTP requests. CISA added it to the Known Exploited Vulnerabilities catalog in February 2024. CVE-2023-27997 is a heap buffer overflow in the SSL-VPN component, and CVE-2022-42475 is a heap-based buffer overflow that was actively exploited as a zero-day.

All three vulnerabilities have patches available, but the symlink persistence mechanism means that patching alone is insufficient. Organizations that patched without performing post-compromise analysis may have unknowingly left the backdoor in place.

CISA and Global Response

The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory urging organizations to take immediate action beyond patching. Recommended steps include upgrading to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16, which specifically remove the malicious symlink files. CISA also advised resetting all credentials associated with SSL-VPN functionality, including user accounts, LDAP bind credentials, and pre-shared keys.

For organizations unable to patch immediately, CISA recommended disabling SSL-VPN functionality entirely until the upgrade could be performed. Fortinet’s own advisory emphasized reviewing device configurations for unauthorized symlinks and conducting forensic analysis on any device that had SSL-VPN enabled during the vulnerability window.

What Makes This Attack Significant

This incident represents a paradigm shift in how defenders should think about patching. Traditional vulnerability management operates on the assumption that applying a patch closes the security gap. The FortiGate symlink attack proves that sophisticated adversaries are now planning for patch deployment, pre-positioning persistence mechanisms that survive the remediation process. This forces organizations to adopt a more comprehensive approach that treats every patched vulnerability as a potential indicator of prior compromise requiring forensic investigation.

The scale, over 16,000 devices across six continents, also underscores how widely deployed FortiGate appliances are in critical infrastructure. Each compromised device potentially exposes not just the firewall configuration but the entire network topology, VPN credentials, and authentication infrastructure behind it.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

What is the FortiGate symlink persistence technique and why is it dangerous?

Attackers create symbolic links in FortiGate’s SSL-VPN language files directory that point to the device’s root filesystem. Because these language files are publicly accessible, the symlink gives attackers read-only access to all device files, including configurations and credentials. The technique survives standard patching because the symlink exists in the user filesystem, which firmware updates do not clean.

How can organizations detect if their FortiGate devices have been compromised?

Organizations should upgrade to FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16, which contain specific checks to remove the malicious symlinks. After upgrading, conduct a forensic review of device configurations and check for unauthorized files in the SSL-VPN language directory. CISA also recommends resetting all credentials that may have been exposed.

Does patching FortiGate devices fix the symlink backdoor?

Standard patching alone does not remove the symlink. Only the specific FortiOS versions listed in the remediation advisory contain the logic to detect and remove the malicious symbolic link. Organizations that applied earlier patches without upgrading to these specific versions may still have the backdoor in place.

Sources & Further Reading