Hackers Exploit Symlinks to Access Patched FortiGate VPNs

In a deeply concerning development for cybersecurity professionals and enterprises relying on Fortinet’s firewall solutions, threat actors have found a method to retain access to FortiGate VPN appliances even after they have been patched. Leveraging symbolic links (symlinks), these attackers are exploiting past vulnerabilities in a way that allows them to persist on compromised systems long after the original exposures have been addressed.

The Background: FortiOS Vulnerabilities Targeted

Earlier this year, Fortinet issued patches addressing CVE-2022-42475—a severe vulnerability that had been exploited in the wild by nation-state and financially motivated threat groups. The bug involved a heap-based buffer overflow in FortiOS SSL-VPN appliances that allowed remote code execution without needing authentication.

Despite mitigations and updates rolled out by Fortinet, new activity reveals that attackers who had already infiltrated targets are maintaining long-term access by leveraging symlink-based bypasses. In effect, these hackers have weaponized a stealth technique that goes unnoticed by many traditional detection mechanisms.

What are Symlinks and How are They Being Exploited?

Symbolic links, commonly referred to as symlinks, are essentially pointers or references that direct an operating system to files or directories elsewhere in the filesystem. While symlinks themselves are not inherently malicious, they have long been used by attackers to manipulate system behavior.

According to cybersecurity researchers from Mandiant, threat actors create symlinks within the compromised FortiGate VPN system to redirect legitimate service scripts to malicious payloads. Here’s how the method works in simplified terms:

• Step 1: Attackers gain initial access using a now-patched vulnerability.
• Step 2: Before deploying persistence mechanisms, they create symlinks linking key directories or binaries to malicious versions.
• Step 3: Even after the system is patched and the original exploit is closed, the symlinks allow the attacker’s malware or unauthorized processes to persist and reactivate upon system reboot or configuration changes.

In many cases observed, these symlinks linked benign-looking system logs and utilities to trojanized binaries, effectively evading suspicion even during forensic analysis.

Persistence Leads to Undetected Threat Retention

The use of symlink-based persistence is particularly insidious because it survives common system updates and reboots. Organizations who believe they’re protected post-patch could in fact still harbor backdoors on their FortiGate devices. Some key challenges this introduces include:

• Limited visibility: Security tools may not scan for or alert on symbolic link redirection unless explicitly configured to do so.
• Clean patch fallacy: Administrators often assume that applying a patch fully neutralizes a breach. If the attacker has already set up a persistence mechanism, patching alone does nothing to address it.
• Advanced implant deployment: Malware hidden behind symlinks can be designed to only activate under certain conditions, remaining dormant for months before triggering malicious action.

Mandiant’s researchers have found that some of the attackers modified FortiGate’s internal validation services to allow arbitrary code execution, relying on carefully hidden symlinks in directories rarely examined during audits.

Indicators of Compromise (IOCs)

Given the stealthy nature of this attack vector, identifying compromised systems requires careful forensic analysis. Here are some tell-tale indicators of compromise reported by incident response teams:

• Unusual symlink behavior — Symlinks pointing to binaries within non-standard directories like `/data/` or `/var/` rather than system defaults.
• Log modification — Logs that appear unusually sparse, corrupted, or have gaps indicating tampering.
• Unauthorized scripts — Presence of shell scripts in file paths that should not contain user-editable files.
• Encrypted configuration files — Unexpected AES-encrypted credentials found in memory dumps or disk images.

Threat actors are also known to alter file system timestamps to obfuscate the timeline of infection, so relying on file age or creation dates is considered unreliable in these scenarios.

Who is Behind These Attacks?

While Fortinet has not publicly disclosed the identities of the threat actors behind the symlink exploitation, researchers believe that these operations are the work of advanced persistent threat (APT) groups. The techniques used are far beyond ordinary malware kits or script kiddie-level tools.

Specific indicators—such as the use of custom-built implants, stealth monitoring of SSL sessions, and advanced network evasion—point toward state-sponsored entities with interest in long-term espionage or network footholds.

How Enterprises Can Protect Themselves

With threats evolving even after vendors issue patches, organizations relying on FortiGate or other VPN appliances need to reevaluate their security postures. Here are some proactive measures to consider:

1. Conduct a Full Compromise Assessment

Organizations should perform in-depth forensic examinations of their systems, specifically focusing on:

• Manual inspection of symlinks within FortiOS
• Analysis of unknown or unexpected modifications in system binaries
• Verification of system and admin accounts for rogue user creation

2. Rebuild or Reimage Systems

In heavily targeted environments, a full reimage of the appliance followed by a reconfiguration is often the safest route. Without this, hidden backdoors may persist beyond an administrator’s visibility.

3. Apply Layered Security Controls

It’s wise to implement endpoint detection and response (EDR) or extended detection and response (XDR) tools alongside robust configuration management tools that periodically audit for changes to the system file structure.

4. Stay Informed and Reactive

Vendors like Fortinet frequently release threat advisories, patches, and best practices. Make sure that your organization:

• Subscribes to vendor alerts and threat intelligence feeds.
• Validates cyber hygiene policies regularly.
• Participates in industry sharing groups like ISACs where new threats are exchanged.

Conclusion

The continued exploitation of FortiGate devices—even after vulnerabilities are patched—serves as a sobering reminder of how determined threat actors can bypass conventional defenses. The use of symlinks as a persistence technique proves both technically clever and operationally effective for maintaining unauthorized access without alerting defenders.

For enterprises, this highlights the importance of recognizing that patching is not the finish line; it’s only the beginning. Proactive forensics, configuration auditing, and the use of adaptive defense technologies are essential in today’s evolving threat landscape.

As attackers find increasingly evasive vectors to exploit infrastructure, defenders must remain equally innovative in their identification and response protocols.

Stay ahead. Stay secure.