The second week of April presented a host of challenges for both Fortinet and SonicWall VPN customers. With SonicWall facing major VPN exploits for the third month in 2025 and Fortinet facing continued issues, you may be wondering how to proceed.
If your business uses either vendor, there are a few things to know to protect your customers and employees.
Make sure to scroll to the bottom of this post where we cover the advantages of a solution with the foundation of zero trust built in, through either our self-hosted Access Server solution or cloud-delivered CloudConnexa solution.
TL;DR: On April 16, 2025, CISA flagged a known exploited vulnerability in the SonicWall VPN product that posed significant risk, allowing an attacker to inject arbitrary commands, potentially leading to a DoS. Additionally, over 16,000 internet-exposed Fortinet devices have now been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
Know exploited vulnerabilities:
Fortinet 17 | Sonicwall 13 | OpenVPN 0
SonicWall VPN flagged by CISA for known exploited vulnerability
On Wednesday, April 16, 2025, a flaw in the SonicWall VPN product was flagged by CISA in their Known Exploited Vulnerabilities Catalog. That means this vulnerability, which was originally flagged and patched in 2021, has been recently exploited in attack. CISA has upgraded the CVSS severity score from medium to high and expanded the impact to include code execution.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.
Tracked as CVE-2021-20035, this security flaw impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) devices. According to CISA, “Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.”
In other words, when bad actors successfully take advantage of the exploitation, remote threat actors with low privileges can execute arbitrary code in low-complexity attacks.
In an advisory statement from SonicWall, the following was shared: "Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution…This vulnerability is believed to be actively exploited in the wild. As a precautionary measure, SonicWall PSIRT has updated the summary and revised the CVSS score to 7.2.”
Of note: According to Bleeping Computer, SonicWall also warned of an actively exploited authentication bypass flaw in February 2025 for all Gen 6 and Gen 7 firewalls, which could allow hackers to hijack VPN sessions. Further, just one month before that, as OpenVPN previously reported, the company urged customers to patch a critical vulnerability affecting SMA1000 secure access gateways following reports that it had already been exploited in zero-day attacks.
Security recommendations
CISA recommends users apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
OpenVPN recommends that all organizations continually monitor and apply security patches when available. We also recommend proactive security monitoring to ensure that potential anomalies and breaches are caught quickly.
Thousands of Fortinet FortiGate VPN devices compromised with symlink backdoor
Earlier during the week of Apr 11, 2025, Fortinet began sending emails to customers titled "Notification of device compromise - FortiGate / FortiOS - ** Urgent action required **," given a TLP:AMBER+STRICT designation.
These emails warned that their FortiGate/FortiOS devices were compromised based on telemetry received from FortiGuard devices.
"This issue is not related to any new vulnerability. This file was left behind by a threat actor following exploitation of previous[ly] known vulnerabilities," the emails said, including but not limited to CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. OpenVPN previously shared information about the Fortinet vulnerabilities, including the April 2024 critical-severity bug.
The trouble for Fortinet users, however, did not stop there.
Over 16,000 internet-exposed Fortinet devices have now been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
As of April 16, 2025, Piotr Kijewski of the threat monitoring platform The Shadowserver Foundation, told BleepingComputer that the cybersecurity organization now detects 16,620 devices impacted by the recently revealed persistence mechanism.
"A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection," Fortinet said. "Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device's file system, which may include configurations."
Security recommendations
Fortinet has notified potentially impacted customers of an updated AV/IPS signature that will detect and remove the malicious symbolic link from compromised devices. The latest version of the firmware has also been updated to detect and remove the link. The update also prevents unknown files and folders from being served by the built-in webserver.
OpenVPN recommends ensuring that all patches and updates are applied, and all credentials are reset.
Steps to improve your security if you’ve been impacted
Enhance your network security and protect against potential attacks by taking the following steps, regardless of whether your business has been attacked or your security provider has been compromised.
- Set an alert to receive any and all security advisories from your security providers, SaaS applications, and other software vendors you may use.
- Periodically review vendors' compliance information. Monitor third-party audits for tools in your tech stack.
- Implement the tenets of zero trust, through a Zero Trust VPN, which is the foundation of the Zero Trust strategy. This will help provide identity-based least privilege access to internal systems should a breach occur, ultimately preventing lateral movement and limiting potential damage from a threat actor.
- Utilize an Intrusion Detection System and Intrusion Prevention System, or IDS/IPS, to mitigate malicious traffic and suspicious activity.
- Use network segmentation to limit the spread of an attack.
How OpenVPN can help your organization
If you’ve been burned by your legacy VPN provider’s vulnerabilities one too many times, we’re here to help.
OpenVPN can help get your business back up and running quickly. OpenVPN provides modern Zero Trust VPN solutions that are easy to implement and manage. Plus, you’ll never pay for more than you use, as we only charge per concurrent connection, with monthly plans starting at five connections with the ability to scale up on demand — making OpenVPN your go-to for a reliable, cost-effective disaster recovery solution.
Additionally, because of our open source roots, we:
- Believe in full disclosure in any instance of a vulnerability, exposure, or breach.
- Take security issues very seriously and respond quickly when serious vulnerabilities are discovered.
- Respond to vulnerability reports from both inside and outside the open source community.
- Work with organizations like MITRE to publish and disseminate security information to both customers and open source community devs and users alike.
Ready to get started? Download OpenVPN’s award-winning Zero Trust VPN solutions, CloudConnexa or Access Server, for free. Get started with free connections today.
To learn more about the future of network security, check out our recent research report from Enterprise Strategy Group, sponsored by OpenVPN: Secure Remote Access Technology Trends.
