Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit

A major cyberattack has compromised more than 17,000 Fortinet devices globally, exploiting a sophisticated symbolic link persistence technique.

The incident marks a rapid escalation from early reports, which initially identified approximately 14,000 affected devices just days ago. Security experts believe the number may continue to rise as investigations progress, as reported by Cyber Security News.

The cyberattack targets previously disclosed vulnerabilities in Fortinet’s widely used FortiGate products, including critical flaws identified in recent years.

After breaching the devices, attackers leveraged a symbolic link (symlink) trick: by linking the user filesystem to the root filesystem—specifically within a directory used by the SSL-VPN language files—they maintained illicit, read-only access to sensitive system files and configurations.

Crucially, this malicious symlink was stored in the user filesystem, an area not typically wiped out during routine firmware updates.

That means even organizations that have patched their devices for the original ...