CyberSecurity news

FlagThis - #fortinet

info@thehackernews.com (The@The Hacker News //
Fortinet has issued a critical patch for a severe SQL injection vulnerability affecting its FortiWeb product. Identified as CVE-2025-25257, the flaw resides within the Fabric Connector feature. This vulnerability allows an unauthenticated attacker to execute arbitrary commands and potentially gain access to sensitive information on affected systems. The issue stems from improper input sanitization, enabling attackers to manipulate SQL queries through specially crafted HTTP requests. The vulnerability has a high severity score of 9.8 out of 10, highlighting the significant risk it poses to organizations.

The vulnerability specifically impacts multiple versions of FortiWeb, including versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10. The FortiWeb Fabric Connector acts as a crucial middleware, connecting FortiWeb web application firewalls with other Fortinet products for dynamic security updates. Attackers can exploit this flaw by sending malicious SQL payloads within HTTP Authorization headers, bypassing authentication controls and potentially leading to remote code execution. Researchers have demonstrated that this SQL injection can be escalated to achieve full system compromise by leveraging MySQL's INTO OUTFILE statement to write files to the server and executing them via Python scripts.

Given the critical nature of this vulnerability and the availability of proof-of-concept exploits, Fortinet strongly urges all users of affected FortiWeb versions to apply the provided patches immediately. Organizations should update to FortiWeb 7.6.4, 7.4.8, 7.2.11, 7.0.11, or later versions to mitigate the risk of exploitation. As a temporary workaround, disabling the HTTP/HTTPS administrative interface can also help reduce exposure until the patches can be applied. Swift action is crucial to prevent potential data breaches and unauthorized access to sensitive systems.

Recommended read:
References :
  • labs.watchtowr.com: Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) - watchTowr Labs
  • The Hacker News: Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
  • arcticwolf.com: CVE-2025-25257: Critical Unauthenticated SQL Injection Vulnerability in FortiWeb
  • Talkback Resources: Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257)
  • cyberpress.org: Fortinet FortiWeb Vulnerability Exploited for Remote Code Execution via Fabric Connector
  • Talkback Resources: Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) [app] [exp]
  • cyberpress.org: Cyberpress: Fortinet FortiWeb Fabric Connector Vulnerability Exploited to Execute Remote Code
  • Talkback Resources: Proof-of-concept exploits have been released for a critical SQLi vulnerability in Fortinet FortiWeb that can be used to achieve pre-authenticated remote code execution on vulnerable servers.
  • Arctic Wolf: CVE-2025-25257: Critical Unauthenticated SQL Injection Vulnerability in FortiWeb
  • hackread.com: Critical Vulnerability Exposes Fortinet FortiWeb to Full Takeover (CVE-2025-25257)
  • securityaffairs.com: Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb
  • gbhackers.com: Fortinet FortiWeb Fabric Connector Flaw Enables Remote Code Execution
  • Cyber Security News: Security researchers have identified a critical pre-authentication SQL injection vulnerability in Fortinet’s FortiWeb Fabric Connector, designated as CVE-2025-25257, that allows unauthenticated attackers to achieve remote code execution on affected systems.
  • gbhackers.com: Security researchers have identified a severe pre-authentication SQL injection vulnerability in Fortinet’s FortiWeb Fabric Connector, designated as CVE-2025-25257, that allows unauthenticated attackers to execute unauthorized SQL commands and potentially achieve remote code execution.
  • cert.europa.eu: On July 8, 2025, Fortinet released a security advisory addressing a critical vulnerability in its FortiWeb product that would allow an attacker to execute unauthorised code or commands on the affected systems.

@cyberpress.org //
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against critical U.S. infrastructure, with a notable 133% surge in activity observed during May and June 2025. The transportation and manufacturing sectors have been identified as the primary targets of these intensified operations. This trend aligns with ongoing geopolitical tensions, as well as recent warnings issued by U.S. authorities like CISA and the Department of Homeland Security, which highlighted U.S. entities as prime targets for Iranian cyber actors.

Nozomi Networks Labs reported a total of 28 distinct cyber incidents linked to Iranian APTs during May and June, a substantial increase from the 12 incidents recorded in the preceding two months. Among the most active groups identified are MuddyWater, which targeted at least five U.S. companies primarily in the transportation and manufacturing sectors, and APT33, responsible for attacks on at least three U.S. entities. Other groups such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice were also observed conducting attacks against U.S. companies in these critical industries.

The resurfacing of the Iranian-backed Pay2Key ransomware, now operating as Pay2Key.I2P, further highlights the evolving threat landscape. This ransomware-as-a-service operation, linked to the Fox Kitten APT group, is reportedly offering an 80% profit share to affiliates targeting Iran's adversaries, including the U.S. and Israel. This financially motivated scheme has also demonstrated an ideological commitment, with claims of over 51 successful ransom payouts, netting substantial profits. The use of the Invisible Internet Project (I2P) for its infrastructure represents a notable shift in RaaS operations, potentially enhancing its evasiveness.

Recommended read:
References :
  • industrialcyber.co: Nozomi Networks Labs reported a 133% spike in cyberattacks linked to well-known Iranian threat groups during May and...
  • cyberpress.org: Iranian APTs Launch Active Cyberattacks on Transportation and Manufacturing Industries
  • gbhackers.com: Iranian APT Hackers Targeting Transportation and Manufacturing Sectors in Active Attacks
  • Industrial Cyber: Nozomi finds 133% surge in Iranian cyberattacks targeting US, as transportation and manufacturing most affected
  • gbhackers.com: Nozomi Networks Labs cybersecurity researchers have reported a startling 133% increase in cyberattacks linked to well-known Iranian advanced persistent threat (APT) groups in May and June 2025, following current tensions with Iran.

info@thehackernews.com (The@The Hacker News //
A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.

The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory.

The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities.

Recommended read:
References :
  • BleepingComputer: Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems.
  • The DefendOps Diaries: Fortinet's Swift Response to Zero-Day Exploits in FortiVoice Systems
  • BleepingComputer: Fortinet fixes critical zero-day exploited in FortiVoice attacks
  • Help Net Security: Zero-day exploited to compromise Fortinet FortiVoice systems (CVE-2025-32756)
  • gbhackers.com: Gbhackers post on fortinet zero-day
  • Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • malware.news: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • arcticwolf.com: Arctic Wolf blog post on CVE-2025-32756
  • cert.europa.eu: 2025-019: Critical Vulnerabilities in Fortinet Products
  • RedPacket Security: Fortinet Products Multiple Vulnerabilities
  • securityaffairs.com: Fortinet fixed actively exploited FortiVoice zero-day
  • The Hacker News: Fortinet Patches CVE-2025-32756 Zero-Day RCE Flaw Exploited in FortiVoice Systems
  • www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
  • www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
  • socradar.io: Critical Vulnerabilities in Fortinet and Ivanti Products: Multiple Zero-Day Threats Addressed
  • Tenable Blog: CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
  • Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • arcticwolf.com: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • Virus Bulletin: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
  • securityaffairs.com: APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq
  • The Hacker News: Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers
  • www.microsoft.com: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
  • securityaffairs.com: U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog
  • Rapid7 Cybersecurity Blog: CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

Anna Ribeiro@Industrial Cyber //
Fortinet's FortiGuard Labs has revealed a multi-year, state-sponsored cyber intrusion targeting critical infrastructure in the Middle East. The intrusion, attributed to an Iranian APT group likely Lemon Sandstorm, began as early as May 2023, with potential traces back to May 2021, and went undetected for nearly two years. Attackers gained initial access through compromised VPN credentials, deploying multiple web shells and custom backdoors throughout the infrastructure.

This Iranian APT exhibited significant operational discipline, constantly rotating tools, infrastructure, and access methods to maintain their foothold. After gaining access, they installed backdoors such as HanifNet, HXLibrary, and NeoExpressRAT. The attackers used in-memory loaders for Havoc and SystemBC to avoid detection, plus custom loaders to execute malware directly in memory, avoiding disk-based detection.

Throughout the campaign, FortiGuard Labs identified at least five novel malware families, including HanifNet, NeoExpressRAT, HXLibrary, RemoteInjector, and CredInterceptor. The attackers also modified legitimate OWA JavaScript files to silently siphon credentials, disguising malicious scripts as legitimate traffic. The attackers used open-source proxy tools such as plink, Ngrok, Glider Proxy, and ReverseSocks5 to circumvent network segmentation.

Recommended read:
References :
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • industrialcyber.co: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
  • Virus Bulletin: Fortinet's IR team investigate an Iranian-led long-term intrusion on critical infrastructure in the Middle East. Attackers used stolen VPN creds, in-memory loaders for Havoc/SystemBC, and backdoors like HanifNet, HXLibrary, and NeoExpressRAT.
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign

Krista Lyons@OpenVPN Blog //
References: Blog , OpenVPN Blog
Multiple security vulnerabilities are currently being exploited in Fortinet and SonicWall products, posing a significant risk to organizations using these devices. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the SonicWall SMA100 Appliance flaw (CVE-2021-20035) to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by May 7, 2025. This vulnerability, which impacts SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, allows remote authenticated attackers to inject arbitrary operating system commands.

Attackers have been actively exploiting the SonicWall SMA100 vulnerability (CVE-2021-20035) since January 2025. SonicWall has updated its security advisory to reflect the current active exploitation of the flaw which can lead to code execution, as opposed to a denial-of-service. While the vulnerability affects SMA100 devices running older firmware, customers are urged to upgrade to the latest firmware. In addition to the SonicWall vulnerability, threat actors are employing new techniques to exploit a 2023 FortiOS flaw (CVE-2023-27997). This involves manipulating symbolic links during the device’s boot process, allowing attackers with prior access to maintain control even after firmware updates.

Fortinet has released security updates for FortiOS and FortiGate. Organizations using Fortinet products should apply the latest patches. Similarly, SonicWall users are advised to upgrade to the fixed versions of firmware, specifically 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, or 9.0.0.11-31sv and higher. With both SonicWall and CISA confirming the CVE-2021-20035 exploit, details about the attacks remain scarce.

Recommended read:
References :
  • Blog: Threat actors using new technique to exploit 2023 FortiOS flaw
  • OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN

@hackread.com //
References: hackread.com , hunt.io ,
A significant cybersecurity incident has come to light involving Fortinet devices. Reports indicate that over 16,000 internet-exposed Fortinet devices have been compromised using a symlink backdoor. This backdoor grants attackers read-only access to sensitive files, even after security patches are applied. The Shadowserver Foundation, a threat monitoring platform, has been tracking the situation and has reported the growing number of affected devices. This active exploitation underscores the critical need for organizations to implement security updates promptly and rigorously monitor their systems for any signs of suspicious activity.

Fortinet has acknowledged the attacks and has taken steps to address the issue. The company has released multiple updates across various FortiOS versions, including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the established backdoor but also modify the SSL-VPN interface to prevent similar occurrences in the future. Furthermore, Fortinet has launched an internal investigation and is collaborating with third-party experts to fully understand and mitigate the scope of the breach. An AV/IPS signature has also been developed to automatically detect and remove the malicious symlink.

Concerns about espionage have also arisen after the exposure of a KeyPlug server. This server exposed Fortinet exploits and webshell activity, specifically targeting a major Japanese company, Shiseido. A recently exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server was observed to be live for less than a day, highlighting the need for organizations to monitor for short-lived operational infrastructure. This discovery reveals the potential for advanced adversaries to maintain persistent access through sophisticated methods, making detection and remediation increasingly challenging.

Recommended read:
References :
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • hunt.io: KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
  • www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor

@www.bleepingcomputer.com //
Fortinet has issued critical fixes following the discovery of a new method employed by cyber attackers to maintain access to FortiGate devices, even after patches were applied. The attackers are exploiting vulnerabilities such as FG-IR-22-398, FG-IR-23-097, and FG-IR-24-015, creating a symlink that connects the user filesystem to the root filesystem within a folder used for SSL-VPN language files. This allows attackers to quietly read configuration files without triggering standard detection mechanisms. If SSL-VPN has never been enabled on a device, it is not affected by this vulnerability.

Fortinet has responded by launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to automatically detect and remove the symbolic link. Multiple updates have been released across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Customers are strongly advised to update their instances to these FortiOS versions, review device configurations, and treat all configurations as potentially compromised, taking appropriate recovery steps.

The Shadowserver Foundation reports that over 16,000 internet-exposed Fortinet devices have been compromised with this new symlink backdoor. This backdoor grants read-only access to sensitive files on previously compromised devices. CISA has also issued an advisory urging users to reset exposed credentials and consider disabling SSL-VPN functionality until patches can be applied. This incident underscores a worrying trend where attackers are designing backdoors to survive even updates and factory resets, highlighting the need for organizations to prioritize rapid patching and proactive security measures.

Recommended read:
References :
  • Cyber Security News: 17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit
  • gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
  • systemweakness.com: Fortinet Warns of Persistent Access Exploit in FortiGate Devices
  • gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
  • dashboard.shadowserver.org: Over 16,000 Fortinet devices compromised symlink backdoor
  • The Hacker News: Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
  • cyberpress.org: Exposed KeyPlug Malware Staging Server Contains Fortinet Firewall and VPN Exploitation Scripts
  • cybersecuritynews.com: Leaked KeyPlug Malware Infrastructure Contains Exploit Scripts to Hack Fortinet Firewall and VPN
  • hunt.io: KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
  • gbhackers.com: RedGolf Hackers Linked to Fortinet Zero-Day Exploits and Cyber Attack Tools
  • Talkback Resources: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
  • Cyber Security News: Analysis of the exposed infrastructure linking RedGolf to exploitation tools.
  • gbhackers.com: Security researchers have linked the notorious RedGolf hacking group to a wave of exploits targeting Fortinet firewall zero-days.
  • securityonline.info: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
  • OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN
  • cyberpress.org: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
  • cyble.com: IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit
  • Cyber Security News: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
  • securityonline.info: In a rare window into the operations of an advanced persistent threat, a KeyPlug-linked infrastructure briefly went live,
  • fortiguard.fortinet.com: FG-IR-24-435

@www.bleepingcomputer.com //
Over 16,000 Fortinet devices have been compromised due to a novel symlink backdoor, allowing attackers to maintain read-only access to sensitive files. This was reported by The Shadowserver Foundation. The attackers are exploiting known vulnerabilities in FortiGate devices, specifically targeting the SSL-VPN language file directory. By creating a symbolic link between the user filesystem and the root filesystem, attackers can bypass security measures and access critical files even after patches are applied.

Researchers observed that threat actors are leveraging a new method to exploit previously patched vulnerabilities in Fortinet's FortiOS, specifically targeting FortiGate VPN appliances. The original flaw, CVE-2023-27997, had a fix issued, but threat actors can still gain access by manipulating symbolic links during the device's boot process. This enables threat actors with prior access to maintain control over the device, even after firmware updates. The issue stems from how FortiOS handles file permissions and symlinks when restarting, allowing malicious files to persist and re-enable vulnerabilities that were supposedly fixed.

Fortinet has responded by releasing several updates and new security measures to block further attacks. These measures include launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to detect and remove the symbolic link automatically. Multiple updates have been issued across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Organizations are urged to upgrade to the latest secure versions to mitigate the risk.

Recommended read:
References :
  • www.cybersecuritydive.com: Fortinet warns of threat activity against older vulnerabilities
  • The Hacker News: The Hacker News article on Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • community.fortinet.com: Technical Tip : Recommended steps to execute in case of a compromise
  • BleepingComputer: Fortinet warns that threat actors use a post-exploitation technique
  • www.bleepingcomputer.com: Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
  • www.helpnetsecurity.com: HelpNetSecurity: FortiOS, FortiGate vulnerabilities
  • bsky.app: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • www.helpnetsecurity.com: Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices
  • www.bleepingcomputer.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
  • bsky.app: Fortinet has urged customers to install a recent FortiGate firmware update that mitigates a new technique abused in the wild. The technique allows attackers to maintain read-only access to FortiGate devices they previously infected.
  • www.scworld.com: Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
  • securityaffairs.com: Fortinet warns attackers can keep read-only access to FortiGate devices even after the original vulnerability is patched.
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • www.scworld.com: SCWorld brief on Fortinet FortiGate fixes circumvented by symlink exploit
  • The Register - Security: Old Fortinet flaws under attack with new method its patch didn't prevent
  • MSSP feed for Latest: Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit Fortinet Finds Attackers Maintain Access Post-Patch via SSL-VPN Symlink Exploit
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
  • ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • securityonline.info: Fortinet Uncovers Threat Actor Persistence via Symbolic Link Exploit in FortiGate Devices
  • ciso2ciso.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access – Source:hackread.com
  • Blog: Threat actors have been observed leveraging a new method to exploit a previously patched vulnerability in Fortinet’s FortiOS operating system—specifically targeting FortiGate VPN appliances. Although Fortinet issued a fix for the original flaw (CVE-2023-27997), researchers found that threat actors can still gain access by manipulating symbolic links (symlinks) during the device’s boot process.
  • BleepingComputer: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
  • bsky.app: Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
  • www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
  • The DefendOps Diaries: Fortinet Devices Under Siege: Understanding the Symlink Backdoor Threat
  • www.cybersecuritydive.com: Over 14K Fortinet devices compromised via new attack method