Thousands of Fortinet devices worldwide remain exposed after attackers installed a stealth backdoor that survived patches and updates, raising serious concerns over Fortinet’s device security practices.
A widespread security breach has compromised more than 16,600 Fortinet devices globally, according to new data released by The Shadowserver Foundation. The breach stems from the exploitation of a series of zero-day vulnerabilities in FortiOS, Fortinet’s proprietary operating system for its FortiGate firewall appliances.
The issue first came to light when BleepingComputer reported that over 14,000 devices were impacted. However, the number of affected devices has since increased, suggesting a far greater security lapse than initially understood.
How the Attack Happened
The backdoor was implemented through symbolic links (symlinks) placed within the devices’ language file folders. Normally, these folders are accessible to external users through SSL-VPN functionality. By creating symlinks from the language folders to the root filesystem, attackers secured persistent read-only access to sensitive configuration files, even if device firmware was later updated or vulnerabilities were patched.
According to The Register, the attackers exploited three known vulnerabilities, at least two of which have been previously tied to Void Typhoon, a Chinese state-backed cyber espionage group. This method allowed hackers to maintain a foothold in the system without needing to continually exploit new vulnerabilities.
Importantly, the symbolic links survived not only software upgrades but also standard mitigation efforts like factory resets. This persistence makes the breach particularly dangerous for organizations that believed standard recovery procedures would eliminate any latent threats.
Expert Insights
Benjamin Harris, CEO of security firm WatchTowr, emphasized the sophistication of the attack strategy, stating:
“We have seen, numerous times, attackers deploy capabilities and backdoors after rapid exploitation designed to survive the patching, upgrade, and factory reset processes organizations have come to rely on to mitigate these situations to maintain persistence and access to compromised organizations.”
This persistent threat model represents a significant evolution in how cyber adversaries maintain long-term access to corporate and government networks.
Fortinet’s Response
Fortinet has responded by:
- Issuing firmware updates to remove the symlink vulnerabilities.
- Rolling out updated Antivirus/Intrusion Prevention System (AV/IPS) signatures to detect compromised systems.
- Sending private email alerts to customers identified as affected.
However, the broader cybersecurity community remains critical. This event is not isolated — earlier this year, an emerging hacking group called the Belsen Group leaked sensitive configuration files and VPN credentials from over 15,000 FortiGate devices, further highlighting systemic issues in Fortinet’s product security lifecycle.
Why This Matters
The ongoing compromise of Fortinet devices poses significant risks for businesses, governments, and critical infrastructure organizations that rely on FortiGate appliances for network security. Attackers with even read-only access to configuration files can harvest VPN credentials, network layouts, and administrative information, potentially setting the stage for future, deeper attacks.
Moreover, the persistence of the backdoor, even after updates and resets, challenges long-held assumptions about the effectiveness of traditional remediation techniques, such as patching and factory resetting, in post-exploitation recovery.
What’s Next?
Organizations using Fortinet devices are urged to:
- Immediately apply the latest FortiOS firmware updates.
- Use Fortinet’s new AV/IPS detection tools to scan for symlink compromises.
- Review and rotate sensitive credentials (e.g., VPN logins, administrator passwords) stored or configured on any potentially affected device.
- Consider conducting forensic audits to ensure that attackers have not moved laterally into other systems.
As attackers continue to evolve, cybersecurity defense must also adapt beyond standard practices, focusing more on detection, investigation, and validation after incidents occur.
Would you also like me to prepare:
- A shorter “breaking news” version (~120 words)?
- A social media post summary (for LinkedIn/Twitter)?
- A bullet-point quick summary for internal briefings?