The second week of April presented a host of challenges for both Fortinet and SonicWall VPN customers. With SonicWall facing major VPN exploits for the third month in 2025 and Fortinet facing continued issues, you may be wondering how to proceed.
If your business uses either vendor, there are a few things to know to protect your customers and employees.
Make sure to scroll to the bottom of this post where we cover the advantages of a solution with the foundation of zero trust built in, through either our self-hosted Access Server solution or cloud-delivered CloudConnexa solution.
TL;DR: On April 16, 2025, CISA flagged a known exploited vulnerability in the SonicWall VPN product that posed significant risk, allowing an attacker to inject arbitrary commands, potentially leading to a DoS. Additionally, over 16,000 internet-exposed Fortinet devices have now been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
Know exploited vulnerabilities:
Fortinet 17 | Sonicwall 13 | OpenVPN 0
On Wednesday, April 16, 2025, a flaw in the SonicWall VPN product was flagged by CISA in their Known Exploited Vulnerabilities Catalog. That means this vulnerability, which was originally flagged and patched in 2021, has been recently exploited in attack. CISA has upgraded the CVSS severity score from medium to high and expanded the impact to include code execution.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.
Tracked as CVE-2021-20035, this security flaw impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) devices. According to CISA, “Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.”
In other words, when bad actors successfully take advantage of the exploitation, remote threat actors with low privileges can execute arbitrary code in low-complexity attacks.
In an advisory statement from SonicWall, the following was shared: "Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution…This vulnerability is believed to be actively exploited in the wild. As a precautionary measure, SonicWall PSIRT has updated the summary and revised the CVSS score to 7.2.”
Of note: According to Bleeping Computer, SonicWall also warned of an actively exploited authentication bypass flaw in February 2025 for all Gen 6 and Gen 7 firewalls, which could allow hackers to hijack VPN sessions. Further, just one month before that, as OpenVPN previously reported, the company urged customers to patch a critical vulnerability affecting SMA1000 secure access gateways following reports that it had already been exploited in zero-day attacks.
CISA recommends users apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
OpenVPN recommends that all organizations continually monitor and apply security patches when available. We also recommend proactive security monitoring to ensure that potential anomalies and breaches are caught quickly.
Earlier during the week of Apr 11, 2025, Fortinet began sending emails to customers titled "Notification of device compromise - FortiGate / FortiOS - ** Urgent action required **," given a TLP:AMBER+STRICT designation.
These emails warned that their FortiGate/FortiOS devices were compromised based on telemetry received from FortiGuard devices.
"This issue is not related to any new vulnerability. This file was left behind by a threat actor following exploitation of previous[ly] known vulnerabilities," the emails said, including but not limited to CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. OpenVPN previously shared information about the Fortinet vulnerabilities, including the April 2024 critical-severity bug.
The trouble for Fortinet users, however, did not stop there.
Over 16,000 internet-exposed Fortinet devices have now been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.
As of April 16, 2025, Piotr Kijewski of the threat monitoring platform The Shadowserver Foundation, told BleepingComputer that the cybersecurity organization now detects 16,620 devices impacted by the recently revealed persistence mechanism.
"A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection," Fortinet said. "Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device's file system, which may include configurations."
Fortinet has notified potentially impacted customers of an updated AV/IPS signature that will detect and remove the malicious symbolic link from compromised devices. The latest version of the firmware has also been updated to detect and remove the link. The update also prevents unknown files and folders from being served by the built-in webserver.
OpenVPN recommends ensuring that all patches and updates are applied, and all credentials are reset.
Enhance your network security and protect against potential attacks by taking the following steps, regardless of whether your business has been attacked or your security provider has been compromised.
If you’ve been burned by your legacy VPN provider’s vulnerabilities one too many times, we’re here to help.
OpenVPN can help get your business back up and running quickly. OpenVPN provides modern Zero Trust VPN solutions that are easy to implement and manage. Plus, you’ll never pay for more than you use, as we only charge per concurrent connection, with monthly plans starting at five connections with the ability to scale up on demand — making OpenVPN your go-to for a reliable, cost-effective disaster recovery solution.
Additionally, because of our open source roots, we:
Ready to get started? Download OpenVPN’s award-winning Zero Trust VPN solutions, CloudConnexa or Access Server, for free. Get started with free connections today.
To learn more about the future of network security, check out our recent research report from Enterprise Strategy Group, sponsored by OpenVPN: Secure Remote Access Technology Trends.