New SSL-VPN Symlink Vulnerability Allows Stealthy FortiGate Breach

Fortinet, a prominent cybersecurity firm, has issued a critical advisory warning users of a newly discovered exploit that allows attackers to maintain unauthorized, read-only access to FortiGate devices, even after security patches have been applied. The vulnerability stems from a symbolic link (symlink) abuse within the SSL-VPN feature, enabling stealthy access and posing a major security risk.

How the Exploit Works

The attack revolves around symlinks, which are shortcuts that point to other files or directories. In Unix-based systems, symlinks allow users or programs to access files indirectly. While this function is intended for convenience, attackers have discovered a way to exploit it.

Here’s how:

Initial Access is gained through older, known vulnerabilities, including:

1. CVE-2022-42475
2. CVE-2023-27997
3. CVE-2024-21762

These flaws enable remote code execution and full compromise of FortiGate devices without authentication. While Fortinet has patched these issues, attackers are using them to establish a foothold.

Once inside, attackers create symlinks in directories used by SSL-VPN, specifically in VPN language file locations. These directories are writable by users and often overlooked by system monitors.

The symlinks are carefully crafted to point to protected configuration files, giving attackers persistent, read-only access to sensitive information—even after the original vulnerabilities are patched.

Why It’s So Hard to Detect

This exploit is particularly dangerous due to its stealthy nature. The symlinks are placed in legitimate-looking locations, making them difficult to detect. Since FortiGate appliances typically lack endpoint detection and response (EDR) agents, malicious files or backdoors can easily go unnoticed.

The use of read-only access also helps attackers remain under the radar, as they’re not making changes that might trigger alerts. They simply monitor and collect critical data.

Who Is at Risk?

Devices affected by this exploit are limited to those with SSL-VPN functionality enabled. Organizations in critical infrastructure sectors have already reported suspicious activity linked to this vulnerability. Those who do not use SSL-VPN features remain unaffected.

Impact and Potential Damage

While the attacker’s access is technically limited to "read-only," the implications are significant. By accessing:

• User credentials
• Network configurations
• Security and access policies
• Internal topology maps

…the attacker can build a blueprint for lateral movement, launch phishing campaigns, or prepare future attacks with elevated privileges.

Indicators of Compromise (IOCs)

• Unauthorized symlinks in directories associated with VPN language files.
• Symlinks connecting user-accessible file systems to the root-level configuration files.

If you are a System administrator you should actively scan for these artifacts, especially in environments where the SSL-VPN feature is active.

Fortinet’s Recommendations

To mitigate the risk and limit exposure:

1. Update antivirus and IPS signatures to the latest versions, as Fortinet has rolled out specific detection patterns for this attack.
2. Scan and remove malicious symlinks if present on FortiGate devices.
3. Reset all potentially exposed passwords and secrets.
4. Audit SSL-VPN logs and activity for unusual behavior.

Key Takeaways

This exploit is a clear example of how attackers adapt and evolve. Even after applying patches for known vulnerabilities, your systems may remain vulnerable if proper post-patch auditing and monitoring aren’t in place.

Organizations relying solely on patch management may be operating under a false sense of security. Persistent threats like these require a multi-layered defense strategy that includes:

• Regular system audits
• Continuous monitoring for IOCs
• Deactivation of unused VPN features
• Deployment of advanced EDR tools

Stay Ahead of Threats

Cyberattacks are becoming more sophisticated and persistent. The FortiGate symlink exploit proves that attackers don’t need full control—they just need a way in. If left unchecked, even read-only access can pave the way for catastrophic breaches.

Take action now. Secure your FortiGate devices, review your configurations, and adopt proactive threat monitoring. Don’t wait for a breach to remind you of what could’ve been prevented.

Need help hardening your network? Our certified security experts at SiteLock specialize in vulnerability detection, response, and long-term security solutions. Let’s secure your infrastructure—before it’s too late.