Fortinet alert: Patch FortiGate SSL-VPN exploits. Hackers used symlinks to retain access post-patch. Reset credentials now. #CISA advisory

Continue reading
A newly disclosed Fortinet advisory reveals that hackers have maintained stealthy, persistent access to compromised FortiGate devices even after organizations patched the initial vulnerabilities used in the attacks.** The campaign, active since early 2023, underscores growing concerns over advanced post-exploitation techniques targeting network infrastructure.
Threat actors exploited known flaws, including critical CVEs like CVE-2022-42475 (a remote code execution bug) and CVE-2023-27997 (a heap overflow vulnerability), to create a symbolic link (symlink) between FortiGate’s user file system and root file system. This symlink, hidden in folders hosting SSL-VPN language files, granted attackers read-only access to sensitive configurations and system data.
Fortinet confirmed that the symlink persisted even after initial vulnerabilities were patched, enabling continued surveillance. Devices with SSL-VPN functionality enabled are exclusively at risk.
The company rolled out urgent FortiOS updates to eliminate the threat:
Fortinet advises all users to:
The U.S. CISA and France’s CERT-FR issued parallel advisories, urging organizations to:
Benjamin Harris, CEO of cybersecurity firm watchTowr, warned The Hacker News that adversaries are exploiting vulnerabilities faster than companies can patch. “Attackers deploy backdoors designed to survive patches, upgrades, and even factory resets,” Harris said, noting impacts on critical infrastructure sectors.
Fortinet has notified affected customers directly, though the campaign’s global, non-targeted nature complicates attribution. Organizations must prioritize:

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.