SECURE NETWORK ACCESS
Rustin Brown November 6, 2025 4 minute read

Behind the Breach Headlines: What Fortinet’s VPN Vulnerabilities Teach Us About Lateral Movement & Persistence

When another VPN vulnerability makes headlines, security teams rush to patch it and pray it stops there. But the recent Fortinet FortiGate “symlink backdoor” incident shows why patching alone doesn’t solve the real issue and why the VPN model itself is the problem.

Attackers who previously exploited earlier Fortinet SSL-VPN flaws implanted a custom symlink-based persistence mechanism. Even after administrators patched and rebooted affected devices, these malicious files maintained unauthorized access. While this is a specific case, it illustrates how attackers can maintain persistence in any environment where broad, implicit access remains possible after initial compromise.  

This is the critical lesson: Traditional VPNs can enable lateral movement because they assume trust once users are authenticated. Without additional segmentation and policy enforcement, that broad access can create risk. They’re built to connect broadly and trust deeply—the exact opposite of how modern security must operate.

The Inherent VPN Problem: Broad Access, Broad Damage

VPNs were born in a perimeter world that no longer exists. They authenticate users once, drop a tunnel, and grant network-level access to everything behind it. That’s like handing over the master key to your entire building just because someone needs access to one room.

This design flaw manifests in three ways:

  1. Exposed Gateways: Fortinet’s SSL-VPNs, like all VPN appliances, must be internet-facing. That exposure is a neon sign for attackers to scan, exploit, and persist.
  2. Flat Access Zones: Once inside, a VPN user (or attacker) can laterally explore networks, applications and data they were never meant to reach.
  3. Persistence by Design: VPNs create static tunnels and predictable access paths. Once compromised, attackers can quietly maintain presence and pivot laterally for months.

While patching helps address vulnerabilities, traditional VPN designs still rely on static tunnels and implicit trust. These can be mitigated but not fully eliminated without adopting a Zero Trust approach.

Why Direct-Routed ZTNA Changes the Game

Zero Trust Network Access (ZTNA) was designed to eliminate these systemic risks, but not all ZTNA architectures are created equal.  
Many solutions still rely on cloud-proxy relays or brokered paths that introduce latency, complexity and potential data exposure.

AppGate ZTNA takes a fundamentally different approach with its direct-routed architecture. It connects users directly and securely to authorized resources without routing sensitive traffic through third-party clouds, concentrators, or centralized choke points.

Here’s how that architecture stops the problems that VPNs (and even other ZTNAs) can’t:

  1. No Exposed Gateways — Full Network Invisibility: AppGate ZTNA uses Single Packet Authorization (SPA) to make protected resources completely invisible to unauthorized users. There are no open ports, public IPs, or exposed gateways to scan or exploit;attackers can’t attack what they can’t see. 

    Once a user is verified, SPA dynamically establishes direct, encrypted and short-lived connections only to the resources that user is authorized to access — nothing more. This least-privilege, per-session approach not only eliminates exposed entry points but also prevents lateral movement, even if a user’s endpoint is compromised. When the session ends, the connection dissolves, leaving nothing behind for attackers to hijack.

  2. Identity- and Context-Based Enforcement: Access isn’t just about credentials, it’s about who, what and where the user is connecting from. AppGate ZTNA dynamically enforces access based on: 

    • User identity and group
    • Device posture (For instance, is it patched, secure, managed?)
    • Location, time and behavior context

    If any risk factor changes mid-session—say a device fails posture check—access is automatically revoked. That means no static tunnels, no persistence, no foothold for attackers to exploit.

  3. Smaller Blast Radius, Faster Containment: In a VPN world, one compromised credential can open an entire network. In AppGate’s direct-routed ZTNA model, that blast radius shrinks to a single point, dramatically reducing dwell time, propagation and damage potential.

Beyond the Patch: A Modern Security Imperative

Fortinet’s recurring VPN vulnerabilities aren’t isolated bugs, they’re proof that the “connect-then-trust” era is over. Each new CVE and breach reinforces the same truth: the perimeter has dissolved, and the VPN can’t keep up.

Direct-routed ZTNA replaces that brittle architecture with one that is:

  • Invisible to attackers
  • Resilient to compromise
  • Optimized for performance (no detours through cloud brokers)
  • Built for least privilege and zero lateral movement

This isn’t about patching faster, it’s about eliminating what needs patching in the first place.

The Takeaway: Persistence Ends Where Direct-Routed ZTNA Begins

The Fortinet “symlink backdoor” incident is more than a cautionary tale, it’s a wake-up call. When your access architecture trusts too much and exposes too broadly, attackers don’t just break in, they stay in. AppGate ZTNA ends that cycle.

It makes your environment invisible, connections precise and access ephemeral, so even if the next zero-day hits the headlines, your network won’t be the story.

Ready to replace your exposed gateways with invisible access? Schedule a demo to learn how AppGate ZTNA eliminates the weaknesses that make VPNs— and even proxy-based ZTNAs—vulnerable to lateral movement and persistence.  

 

Receive News and Updates From AppGate