“The supreme art of war is to subdue the enemy without fighting.”
Sun Tzu
Turns out, the enemy didn’t even have to fight. The Fortinet symlink exploit gave them exactly what they needed: persistent access, no brute force required.
In this latest breach, attackers didn’t break in twice; they never left. Despite public patches, thisexploit has left customers exposed. What was supposed to be a cleanup turned out to be a cover-up, and now, we’re seeing the fallout.
The Sneaky Trick: Attackers used a symbolic link (symlink) inside a directory used for language files. It quietly connected the user and root filesystems, giving them read-only access.
The “Patch”: Fortinet issued updates but didn’t remove the malicious symlink. Result? Persistence. Even patched systems remained vulnerable.
The Big Caveat: If SSL-VPN was never enabled, you’re safe. But if it was, and you haven't upgraded to very specific versions, your system might still be haunted.
Mitigation: Cleaning Up the Symlink Mess
Here’s what Fortinet did after the exploit resurfaced:
Created AV/IPS signatures to detect and clean the symlink
Rolled out updates in FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16
Hardened the SSL-VPN UI to block future symlink abuse
Still, this whole situation raises a bigger question: Why wasn’t this cleaned up in the first place?
Final Take: Patch Fast, Patch Right
The Fortinet symlink exploit shows what happens when patches are reactive, not proactive. Attackers didn’t need new vulnerabilities; they used a known one, better.
While Fortinet’s latest fixes improve the situation, the fact remains: Trust was breached. Again. And without aggressive cleanup, even “patched” systems can remain quietly compromised.
A patched hole doesn’t mean a clean house, especially when ghosts leave symlinks in your basement.
