FortiGate’s SSL-VPN Symlink Backdoor Persists Post-Exploitation

🧠 TL;DR

Just because you patched your FortiGate firewalls doesn’t mean you’re safe. Attackers are using a sneaky post-exploitation trick—placing symbolic links in the SSL-VPN language directory—to retain read-only access to the entire filesystem. This technique allows them to slurp up your config files, VPN credentials, network maps, and more… all through the web portal. It’s persistent, stealthy, and has been exploited since early 2023. Unless you’ve upgraded to specific FortiOS versions, you might still be compromised—no matter how many CVEs you’ve patched.

🔍 The Trick: A Symlink Trojan Horse

After breaking in using major Fortinet vulnerabilities—CVE-2022-42475, CVE-2023-27997, or CVE-2024-21762—attackers quietly drop a symbolic link in a folder meant for SSL-VPN language files. This isn’t random: it’s a strategic move.

This symlink points to the root ( / ) of the device’s filesystem. From there, they don’t need shell access or fancy malware. They just make HTTP requests to the SSL-VPN web interface, using paths that start with /lang/ but sneakily reach into the full system. If SSL-VPN is turned on (and it usually is), attackers get persistent read-only access to configs, credentials, and more.

And here’s the kicker: patching the original RCE vulnerability doesn’t remove the symlink.

📅 Timeline of Trouble

• Early 2023: CERT-FR sees signs of widespread exploitation.

• Mid-2023: Fortinet customers start patching the headline CVEs.

• April 2025: Fortinet issues specific FortiOS updates (7.6.2, 7.4.7, etc.) to detect and remove the symlink artifact.

• Today: Many devices may still harbor this backdoor, even if fully patched for the CVEs.

💣 What’s at Risk?

Read-only access sounds harmless, right? Not when it gives up your:

• 🔐 VPN & Admin Credentials (some in plaintext, others hashed)

• 🗺️ Network Diagrams & Firewall Rules

• 🔑 API keys, PSKs, service credentials

• 🔎 Recon data for lateral movement

• ⚖️ Regulatory exposure (HIPAA, PCI-DSS, GDPR)

The symlink acts like a remote-controlled telescope into your FortiGate. Attackers don’t need a C2 server—they’re already reading your secrets through your own portal.

🧬 Attack Chain Breakdown

1. Exploit RCE CVE (like 2024-21762)
2. Drop symlink into the /lang/ directory
3. Patch applied? Too bad. Symlink stays.
4. Access via SSL-VPN panel and pull critical data
5. Use stolen creds for VPN logins, lateral movement
6. You notice… nothing

🚨 Who Should Panic? (Everyone,  duh)

Sectors especially at risk:

• Government (espionage targets)

• Critical Infrastructure (Volt Typhoon loves you)

• Healthcare & Finance (compliance nightmares)

• Service Providers & MSPs (supply chain vectors)

If your SSL-VPN was ever exposed on a vulnerable FortiGate—and you haven’t installed FortiOS 7.6.2 (or similar)—assume compromise.

🛡️ What to Do Right Now

✅ Patch Properly

Upgrade to one of the following FortiOS versions:
7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16
These remove the symlink and block the attack vector.

🔐 Reset All Credentials

Admin passwords, VPN users, API keys, certificates, SNMP strings… everything. Treat it like a full credential leak.

🧾 Review Configurations

Hunt for shady changes, rogue accounts, altered VPN settings, or odd scheduled tasks.

🔍 Monitor Everything

• Enable real-time filesystem integrity checks (Log ID 20231 is your friend)

• Audit access to /lang/ via SSL-VPN

• Watch for lateral movement from FortiGate

🚫 Disable SSL-VPN Temporarily

Can’t patch yet? Disabling SSL-VPN entirely cuts off access via the symlink. But this is a stopgap—not a fix.

🎯 Bottom Line

This isn’t just another patch cycle. It’s a stealthy persistence technique that’s already been live for over a year in real-world attacks. It bypasses traditional detection, survives reboot and patching, and leaves your network blueprint exposed.

Patch smarter. Audit deeper. Assume compromise.

Told you it was deep.