HIGH: Fortinet Warns of Persistent Access Technique That Survives Even After Patching

Fortinet dropped an advisory this week that should concern anyone responsible for network security appliances. The company has discovered that threat actors are using a clever symlink-based persistence technique that allows them to maintain read-only access to FortiGate devices even after organizations have patched the vulnerabilities that gave attackers initial entry. You read that correctly. Patching alone may not be enough to evict these intruders.

The technique exploits how FortiOS handles user-accessible files in the SSL-VPN language directory. Attackers who gain initial access through any of the recent FortiGate vulnerabilities, and there have been several serious ones over the past year, create symbolic links that connect the user filesystem to the root filesystem. Because the language files directory serves content to users connecting via SSL-VPN, these symlinks survive firmware updates and configuration resets. The attacker retains passive access to read sensitive files including configurations and credentials without needing to re-exploit the device.

Fortinet has attributed this activity to a threat actor they have tracked since at least early 2025, though the company has not publicly named the group or provided detailed attribution. What they have confirmed is that the technique was observed across multiple customer environments where the attackers had previously exploited CVE-2024-55591, the authentication bypass vulnerability that was actively exploited starting in December 2024, or CVE-2024-21762, the out-of-bounds write flaw that CISA added to its Known Exploited Vulnerabilities catalog in February 2025.

The implications for incident response are significant. Standard remediation playbooks typically focus on patching the vulnerability, resetting credentials, and monitoring for signs of continued access. If attackers have established symlink persistence in the language files directory, those steps miss the actual problem. The malicious links remain in place, quietly providing filesystem access that traditional detection methods are not designed to identify.

Fortinet has released updated firmware versions that remove the malicious symlinks during the upgrade process. FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16 all include remediation for this issue. However, organizations need to do more than just apply the update. Fortinet recommends reviewing device configurations for unexpected entries, examining the SSL-VPN language files directory for suspicious symlinks, and resetting all credentials that may have been exposed during the period of compromise. For organizations that were running vulnerable firmware versions during the exploitation window, assume the attackers obtained your configuration files and plan accordingly.

The persistence technique itself is elegant in its simplicity. Symbolic links are a fundamental filesystem concept, not an exploit or a piece of malware. They are difficult to detect because they look like normal filesystem operations. The language files directory is a legitimate component of the SSL-VPN functionality, so its contents do not trigger the same scrutiny that suspicious binaries or scripts would. Attackers are increasingly turning to these kinds of living-off-the-land techniques precisely because they blend into normal system behavior.

This disclosure comes at a challenging time for Fortinet customers. The company has faced a string of critical vulnerabilities over the past 18 months, including multiple authentication bypasses and remote code execution flaws that saw rapid exploitation in the wild. Each new vulnerability has brought a fresh wave of compromises, and now organizations are learning that even diligent patching may not have fully remediated those incidents.

The FortiGate product line occupies a significant position in enterprise network infrastructure. These devices often sit at network perimeters, handling VPN connections for remote workers and providing firewall services for entire organizations. Compromise of a FortiGate appliance gives attackers visibility into network traffic, access to authentication credentials, and a potential pivot point for further lateral movement. The persistence technique Fortinet disclosed extends that access window indefinitely unless specifically remediated.

For security teams managing FortiGate deployments, the immediate priority should be confirming your firmware version and updating if necessary. The specific versions that include the symlink cleanup are FortiOS 7.6.2 or later, 7.4.7 or later, 7.2.11 or later, 7.0.17 or later, and 6.4.16 or later for organizations still running the 6.4 branch. After updating, verify that the remediation was successful by checking for unexpected files or links in the SSL-VPN directories.

Beyond the immediate patching, organizations should treat any FortiGate device that was running vulnerable firmware as potentially compromised. This means rotating credentials that the device had access to, reviewing logs for signs of unauthorized access, and considering whether attackers may have pivoted to other systems during the window of exposure. The persistence mechanism Fortinet disclosed gave attackers read access to sensitive files. What they did with that information depends on the specific threat actor and their objectives.

The broader lesson here applies beyond Fortinet products. Network appliances and security devices are increasingly targeted by sophisticated adversaries because of the privileged position they occupy in enterprise architectures. These devices often receive less security scrutiny than traditional endpoints, may not support the same monitoring and detection capabilities, and can be difficult to forensically examine when compromises do occur. When vendors disclose that threat actors are using novel persistence techniques against their products, organizations need to update their incident response playbooks accordingly.

Fortinet deserves credit for disclosing this technique and providing remediation guidance. However, the disclosure also raises questions about how long attackers have been using this method and how many organizations remain compromised without knowing it. If your FortiGate devices were vulnerable at any point over the past year, this is not a drill. Check your firmware versions today.