FortiGate Devices Targeted by Persistent Symlink Backdoor: Over 16,000 Devices Compromised
FortiGate devices have become a target for cybercriminals due to a critical symlink vulnerability in FortiOS. With over 16,000 devices compromised globally, this backdoor attack has shown just how vulnerable network systems can be if not continuously monitored and updated. In this blog, we will explore the FortiGate symlink vulnerability in detail, how to detect it, and how to fortify your network against similar attacks.
What is the Symlink Vulnerability?
The symlink vulnerability in FortiGate devices allows attackers to bypass access restrictions and create unauthorized symbolic links that provide persistent access to system files. This exploit affects devices running FortiOS versions 6.4.x, 7.0.x, 7.2.x, and 7.4.x and can lead to unauthorized access to sensitive directories such as /etc/ and /root/.
Once attackers gain access, they can maintain read-only access to important configuration files, which can be used for further attacks or data extraction. The most troubling aspect of this vulnerability is its persistence, meaning even after patching, attackers can still maintain access.
How to Detect Symlink Exploits
Here’s a step-by-step guide to detecting the symlink exploit in your FortiGate devices:
Check Firmware Versions:
Ensure your system is updated by running:
sql
Copy
get system status
- If your version is older than the following, your system is vulnerable:
- FortiOS < 7.6.2
- FortiOS < 7.4.7
- FortiOS < 7.2.11
- FortiOS < 7.0.17
- FortiOS < 6.4.16
Identify Malicious Symlinks in SSL-VPN Files:
Use this command to check for suspicious symlinks:
bash
Copy
execute shell
ls -la /data/etc/tls/locallang/
2. Monitor VPN Logs for Suspicious Access:
Review the SSL-VPN logs for unusual login attempts and check for unauthorized users or unfamiliar IP addresses.
3. Scan for Suspicious Symlinks:
Run the following command to scan the entire filesystem for symlinks:
bash
Copy
find / -type l -ls 2>/dev/null | grep -E “../|/etc/|/root/”
4. Inspect Commonly Abused Folders:
Check for unusual files in folders that attackers commonly target:
bash
Copy
ls -la /data/lib/webssl/
ls -la /data/etc/tls/
What to Do Next:
If you discover any signs of exploitation, immediately take action:
- Disconnect the affected FortiGate devices from the internet.
- Reset all passwords and cryptographic keys.
Remove the malicious symlink using:
bash
Copy
rm -f /data/etc/tls/locallang/lang
3. Ensure that your device is running the latest firmware version—FortiOS 7.6.3 or later. Regular monitoring and periodic audits will help prevent similar attacks in the future.
The Importance of Proactive Cybersecurity
Between April 11 and April 16, 2025, a significant increase in compromised Fortinet devices was reported across various regions.
Asia has been hit the hardest, with nearly half of the affected devices located there, followed by Europe and North America, which account for a substantial portion of the total breaches. In contrast, regions like South America, Africa, and Oceania are less impacted, with smaller numbers of compromised devices.
In total, over 17,000 devices have been compromised, with the vast majority of these incidents occurring in just a few days, underscoring both the global scale and the swift escalation of this symbolic link attack.
Even though many organizations applied patches to fix the initial vulnerabilities, the malicious symlink remains active in many cases, allowing attackers persistent access to systems. This access may include sensitive files, such as configuration settings, credentials, and cryptographic keys. In some instances, it appears the attack could have started as early as 2023, suggesting that this campaign might have gone unnoticed for an extended period.
Security experts are urging organizations to take swift action to prevent further exploitation.