Backdoors Never Die: 16,000+ Fortinet Devices Still Compromised with Sneaky Symlink Hack

-


 A chilling reminder that patching isn’t always the end of the story—over 16,000 Fortinet devices are still compromised by a crafty symlink backdoor, according to fresh insights from The Shadowserver Foundation.

This isn't your typical zero-day exploit. No fresh vulnerabilities here. Instead, attackers are using a persistence mechanism that lurks in the shadows after the original exploit has been patched. That’s right—patched but still exposed.

Here’s how it works:

  • Threat actors compromised FortiGate devices starting in 2023 using zero-days.

  • They planted symbolic links in the folder used to store SSL-VPN language files.

  • These symlinks quietly pointed back to the root filesystem.

  • Since language files are publicly accessible on FortiGates with SSL-VPN enabled, attackers retained read-only remote access to sensitive files—even after patching.

As of today, 16,620 Fortinet devices have been detected with this stealthy backdoor. And unless sysadmins take action, attackers still have a peephole into these systems.

Fortinet’s statement:

“This was achieved via creating a symbolic link... in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection.”

As threats grow more subtle and persistent, cybersecurity isn’t just about blocking the initial breach; it’s about digging out the roots after the fire is out.

Stay sharp, stay patched, and never trust a quiet filesystem


References: https://www.bleepingcomputer.com/news/security/over-16-000-fortinet-devices-compromised-with-symlink-backdoor/

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

Splunk: Cybersecurity Dynamics Rapidly Changing

-
Image
  A survey of 1,520 cybersecurity and IT leaders published today found more than half (52%) reporting their organization suffered a data breach in the past two years, with 62% experiencing monthly unplanned downtime attributable to a cybersecurity incident. The survey, conducted by Enterprise Strategy Group (ESG) on behalf of Splunk , also found that, on average, it takes 2.4 months to discover bad actors on corporate networks. Over a third (39%) of the respondents said cybersecurity incidents have directly harmed their competitive position, with 31% also noting those incidents have reduced shareholder value. As a result, cybersecurity budgets are increasing, with 95% of respondents reporting their security budgets will increase over the next two years, with 56% describing those increases as significant. The survey also found 81% of respondents are working for organizations that are converging aspects of their security and IT operations. Respondents believe this conver...
Read more

vSphere DR and Migration Improvements

-
Image
  Since introducing the support for dedicated vSphere clouds as a replication destination, we have extended the list of available features with every new release. This one is no exception and brings several significant improvements: Recovery Plans to define the failover order of the replicated VMs the same way it is done for VMware Cloud Director clouds Bandwidth throttling to enforce traffic limits on a specific network interface of the Tunnel appliance Public API, which was missing before.  In VMware Cloud Director Availability 4.3.1, we enabled migrating templates from one catalog to another in the same or a remote VMware Cloud Director cloud. In 4.6, we enhanced that feature to check for template changes and perform an automated migration if a modification is detected. It can result in overwriting the existing template at the destination catalog or creating a newer version. Along with all mentioned, we have also improved product management and operability.  For clouds...
Read more