So… turns out one of the leading enterprise security products forgot the “security” part. More than 16,000 Fortinet devices exposed to the internet have been found carrying a persistent symlink backdoor—one that grants read-only access to sensitive files.
Think of it like your firewall handing out backstage passes to anyone named “admin,” no questions asked.
This isn’t about some flashy new zero-day. Attackers are building on old breaches from 2023 and 2024. They’ve been slipping symbolic links into the language files folder, giving themselves access to the root file system—especially on systems with SSL-VPN enabled. Even after you patch the original flaw, the door stays open.
It’s the cybersecurity equivalent of hiring someone to watch your house, and they just move in.
Fortinet’s response? They’re sending out warnings and pushing tools to detect and clean up the mess. Oh, and they strongly suggest resetting all your credentials—just in case the attackers grabbed your config files.
Picture your firewall with a side hustle leaking sensitive data. Not great.
