PSIRT SSL-VPN Symlink Persistence Patch Bypass Summary An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests. An attacker would need first to have compromised the product via another vulnerability, at filesystem level. Version Affected Solution FortiOS 7.6 7.6.0 through 7.6.1 Upgrade to 7.6.2 or above FortiOS 7.4 7.4.0 through 7.4.6 Upgrade to 7.4.7 or above FortiOS 7.2 7.2 all versions Migrate to a fixed release FortiOS 7.0 7.0 all versions Migrate to a fixed release FortiOS 6.4 6.4 all versions Migrate to a fixed release Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool This vulnerability can only be abused as a consequence of a threat actor exploiting a known vulnerability to implement read-only access to vulnerable FortiGate devices, at file system level. Products that never had SSL-VPN enabled, are not impacted by this issue. Acknowledgement Fortinet is pleased to thank Peter Gabaldon from ITRESIT ( https://itresit.es/en/home-en/) for reporting this vulnerability under responsible disclosure. Timeline 2026-02-10: Initial publication References https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity