Hackers retain access to over 14,000 Fortinet VPNs, public scans by Shadowserver Foundation have revealed. And they could’ve been lurking for years, leaving sensitive data at risk.
Cybercriminals keep read-only access to sensitive Fortinet files after previous breaches, even when patches were applied, the company announced last week.
The compromised devices are FortiOS products with SSL-VPN functionality that were exposed in previous breaches dating back as early as 2023. Fortinet is a major cybersecurity company and firewall vendor.
Authorities worldwide warn that hackers can access sensitive files, including credentials, configurations, and key material from compromised devices.
Shadowserver foundation scans discovered around 14,300 infected Fortinet devices publicly exposed to the internet. Most of them, around 1,500, are in the US, followed by Japan (600), Taiwan (600), China (500), France (500).
Over three hundred compromised FortiOS devices were also discovered in Thailand, Turkey, Israel, Italy, Canada, India, Spain, Indonesia, and Malaysia.
Attention! Check your Compromised Website Report for critical events tagged “fortinet-compromised” and follow Fortinet's mitigation advice on compromised devices: fortinet.com/blog/psirt-b... Data available from 2025-04-11+ shadowserver.org/what-we-do/n...
undefined The Shadowserver Foundation (@shadowserver.bsky.social) April 12, 2025 at 3:15 PM
[image or embed]
According to the company's advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) urges network administrators to upgrade Fortinet devices to new FortiOS versions, which will remove the malicious files and prevent re-compromise.
CISA also recommends reviewing configurations, resetting potentially exposed credentials, or even considering disabling SSL-VPN functionality until the patch is applied.
“Treat all configuration as potentially compromised,” the National Cyber Security Centre of New Zealand warns.
Many Fortinet administrators have yet to patch devices to another critical authentication bypass vulnerability (CVE-2024-55591), which has a severity rating of 9.8 out of 10. It was disclosed and fixed on January 14th, 2025. Shadowserver still tracks over 30,000 Fortinet devices affected by this flaw.
How do the hackers maintain persistence?
Fortinet explains that threat actors are using a post-exploitation technique to create malicious files from previously known Fortinet vulnerabilities, including CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475.
They create a “symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN.” So, even if the system was updated later and the vulnerability was fixed, the symbolic link stayed there and acted as a shortcut to sensitive parts of the system.
The modification in the user filesystem also allows for avoidance of detection.
“Even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations,” Fortinet’s advisory reads.
Only systems that never had SSL-VPN enabled can be considered unaffected.
Fortinet also said it performed scans to identify compromised devices using internal telemetry and in collaboration with third-party organizations. The company also communicated directly with identified customers.
“It is critically important for all organizations to keep their devices up to date. A variety of government organizations have reported that state-sponsored threat actors are targeting all vendors, including known but unpatched vulnerabilities,” Fortinet warns.
France’s national cybersecurity response team (CERT-FR) said it is aware “of a massive campaign” that compromised a lot of equipment in France, with the first attacks dating back to the beginning of 2023.
Your email address will not be published. Required fields are markedmarked