As investigations continue, security experts urge organizations to remain vigilant, ensure all devices are fully patched, and review system configurations for any signs of unauthorized changes or lingering persistence mechanisms. 17,000+ Fortinet devices worldwide have been compromised in a sophisticated cyberattack that leverages a symbolic link persistence technique, according to new findings from Shadowserver. After gaining initial access, the threat actors implemented a symbolic link (symlink) connecting the user filesystem to the root filesystem in a folder used to serve language files for the SSL-VPN feature. The total number of impacted devices surpasses 17,009, with the majority of the increase occurring within just a few days, highlighting both the global scale and the sudden escalation of this symbolic link attack. As a result, even after organizations patched their devices to address the original vulnerabilities, the malicious symlink could remain, providing attackers with persistent access. This symlink allowed attackers to maintain read-only access to sensitive files and configurations on compromised devices. The attack exploits previously known vulnerabilities in Fortinet’s FortiGate devices, including several critical flaws that have been publicly documented in recent years. Asia is the most heavily impacted, accounting for roughly half of the total cases, followed by Europe and North America, which together represent a significant portion of the affected devices. The number of affected devices has climbed from an initial report of 14,000 to 17,000, with the figure expected to rise as investigations continue. This incident underscores a troubling trend in cyberattacks: threat actors are not only rapidly exploiting known vulnerabilities but are also embedding persistence mechanisms that can survive standard remediation efforts. The graph illustrates the rapid surge in compromised Fortinet devices across different regions between April 11 and April 16, 2025. Devices that have never enabled SSL-VPN functionality are not believed to be affected by this specific attack vector. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Security authorities warn that the attackers’ access could include sensitive configuration files, credentials, and cryptographic keys. The ability to maintain access even after patches are applied poses a significant long-term risk, particularly for organizations managing critical infrastructure.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 18 Apr 2025 03:50:12 +0000