Do Son 
Nearly 17,000 Fortinet devices connected to the internet have been found to be infected with a stealthy backdoor, granting attackers read-only access to sensitive files. These compromised systems include devices that had previously been breached and subsequently patched. Yet, despite the installation of security updates, unauthorized access to the file system remained available to the attackers.
The incident was reported by the Shadowserver Foundation. Initially, over 14,000 vulnerable devices were identified, but that number later rose to 16,620. According to a spokesperson from the organization, the threat propagated more rapidly than initially anticipated.
Fortinet recently informed its customers of a newly discovered covert persistence technique. In this method, an attacker creates a symbolic link (symlink) between the user and root file systems. This occurs within a directory intended for language files, which—on devices with SSL-VPN enabled—becomes automatically accessible from the internet. Through this manipulation, the attacker is able to view the entire file system’s contents, including configuration files, even if the underlying vulnerability has already been patched.
What makes this technique particularly insidious is that the modification occurs not in the system directory but within the user space, allowing it to evade detection by standard integrity checks. Consequently, even after FortiOS updates are applied, the vulnerability persists in the form of the lingering symbolic link, through which the attacker retains access to confidential data.
The origin of this threat traces back to a campaign launched in 2023, wherein hackers exploited multiple zero-day vulnerabilities to infiltrate FortiGate devices. In subsequent stages, the attackers adopted this persistence mechanism to maintain access. At present, Fortinet is reaching out directly to affected device owners via email, urging immediate remedial action.
In response, Fortinet has updated its antivirus and IPS signatures to detect and eliminate the malicious symlinks. Additionally, the latest firmware release blocks the web server from processing any files or directories not defined within the standard configuration.
Nevertheless, the compromise poses a significant risk of sensitive data leakage, including configuration files and stored credentials. As a precaution, Fortinet strongly advises resetting all login credentials and following the official security restoration guidelines with utmost diligence.
