We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Fortinet Backdoor: Over 16,000 Devices Affected

Fortinet Backdoor: Over 16,000 Devices Affected
Author Image Husain Parvez
Husain Parvez First published on April 20, 2025 Cybersecurity Researcher

More than 16,000 Fortinet devices globally have been found to be compromised with a persistent symlink backdoor. It’s a vulnerability that allows read-only access to sensitive configuration files even after patching. Initially reported to affect 14,000 devices, that number has since climbed to over 16,620 according to The Shadowserver Foundation, exposing a wide-scale security oversight in FortiGate firewall management.

As BleepingComputer first reported, the issue stems from attacks dating back to 2023, where threat actors exploited zero-day vulnerabilities in FortiOS. In these attacks, hackers created symbolic links in the language files folder to the root file system on devices with SSL-VPN enabled. With this setting enabled, the language files were publicly accessible, allowing threat actors to use the symbolic link to gain persistent read access to the root file system.

This move effectively granted remote access to a device’s root file system without the need for active exploitation of a current vulnerability. The symbolic links persisted even after software updates.

Further insight from The Register revealed that these symlinks were crafted using three known vulnerabilities, two of which being previously exploited by the Chinese-backed Void Typhoon group.

“We have seen, numerous times, attackers deploy capabilities and backdoors after rapid exploitation designed to survive the patching, upgrade and factory reset processes organizations have come to rely on to mitigate these situations to maintain persistence and access to compromised organizations,” said Benjamin Harris, CEO of WatchTowr.

In response, Fortinet has rolled out firmware updates and an updated AV/IPS signature to detect and remove the symlink. Private email alerts have also been sent to impacted clients.

Just this year, we reported a breach where the newly surfaced “Belsen Group” leaked configuration files and VPN credentials from over 15,000 FortiGate devices. The scale and persistence of these attacks highlight potential issues in Fortinets’ approach to cybersecurity.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

This field must contain more than 50 characters

The field content should not exceed 1000 letters

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address