Skip to main content
close search
site logo
Dive Brief

Over 14K Fortinet devices compromised via new attack method

Fortinet warned last week that a threat actor was using a new post-exploitation trick to maintain access to devices after they were patched.

Published April 14, 2025
By
Contributing Reporter
Rendered image depicting global networks.
DKosig via Getty Images

Dive Brief:

  • The Shadowserver Foundation reported Saturday that more than 14,000 Fortinet devices across the globe have been compromised by a threat actor that exploited known vulnerabilities and deployed a symlink-based persistence mechanism.

  • In a blog post last week, Fortinet warned that a threat actor had used older critical vulnerabilities, including CVE-2022-42475, CVE-2023-27997 and CVE-2024-21762, to gain access to FortiGate devices and maintained read-only access after the devices were patched through the persistence mechanism.

  • Fortinet warned that customer organizations that patched these older vulnerabilities may still be compromised, as the symlink modifications evaded the vendor's detections and persisted after updates. A symlink, or a symbolic link, is basically a shortcut to a file. 

Dive Insight:

Shadowserver's latest scans showed nearly 7,000 compromised Fortinet devices in Asia, with approximately 3,500 and 2,600 in Europe and North America, respectively. The countries with the most compromised devices are the U.S., Japan, Taiwan and China

In the blog post, CISO Carl Windsor said the symlink mechanism was implanted in devices' user filesystems and provides read-only access to files, which "may include device configurations." The network security vendor noted that customers that never enabled SSL-VPNs are not affected by the threat activity.

In an advisory on Friday, New Zealand’s Computer Emergency Response Team (CERT NZ) said the threat activity involved "widespread exploitation" of Fortinet vulnerabilities going back to 2023. CERT-NZ also warned the symlink mechanism may have given the threat actor access to highly sensitive data on Fortinet devices.

"The compromise may have allowed the actor to access sensitive files from compromised devices including credentials and key material," the CERT-NZ advisory said.  

Other government agencies also issued alerts regarding the Fortinet threat activity. France's Computer Emergency Response Team said the new post-exploitation technique has been used in wide-scale attacks in the country. "CERT-FR is aware of a massive campaign involving numerous compromised devices in France. During incident response operations, CERT-FR has learned of compromises occurring since early 2023," the agency said in its advisory.

Windsor said in the blog post that Fortinet communicated directly with customers that were affected by the threat activity. Fortinet released updates and mitigations that can detect and remove the symlink from devices' filesystems and prevent them from being redeployed.

However, CERT-FR emphasized that applying updates and removing the malicious symlink are "not sufficient in the event of a compromise." The agency urged such customers to isolate compromised devices from their networks and perform a "data freeze" to investigate the malicious activity; reset all secrets on affected devices, such as passwords and certificates; and reset all authentication secrets that may have been transmitted through the compromised devices.

Cybersecurity Dive contacted Fortinet for comment but the company has not responded.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
12th Annual Edition of the BeyondTrust Microsoft Vulnerabilities Report Reveals Record-Breakin…
From BeyondTrust
April 15, 2025
GitGuardian Launches NHI Governance: Bringing Order to the Chaos of Non-Human Identity Security
From GitGuardian
April 15, 2025
As Attacks Grow on Critical Infrastructure, New RunSafe Tool Scores Hidden Threats in Embedded…
From RunSafe Security
April 07, 2025
98% of Brands Targeted by Cyber Attacks in 2024 – BrandShield CyberScam Report Reveals Rising …
From BrandShield
April 02, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.