TL;DR: Attackers can preserve access after VPN patching by abusing persistence mechanisms and the broad trust model built into traditional tunnels, according to Appgate’s analysis of the Fortinet symlink backdoor incident. The lesson for practitioners is that segmentation and session-scoped policy, not faster patching alone, determine whether compromise becomes containment or enterprise-wide exposure.
At a glance
What this is: This analysis argues that traditional VPNs create persistent lateral-movement risk because authenticated users are trusted too broadly, even after patching and rebooting.
Why it matters: It matters to IAM, PAM, and security teams because network access design still shapes how compromised identities, devices, and sessions can move across the enterprise.
👉 Read Appgate's analysis of VPN persistence and direct-routed ZTNA
Context
Traditional VPN design assumes that once a user authenticates, the network should trust the session broadly. That model breaks down when a compromised credential, device, or appliance can be used to move laterally after initial access. In identity terms, the problem is not only authentication, but the size and lifetime of the access boundary that follows it.
This article focuses on how a symlink-based persistence mechanism survived patching and rebooting on affected devices, then uses that case to show why implicit trust creates a governance gap across human access, privileged access, and non-human operational access. The starting position is typical of perimeter-era remote access, which is now misaligned with modern segmentation and policy enforcement.
Key questions
Q: What breaks when VPN access still assumes trust after authentication?
A: Broad VPN trust turns one successful login into wide internal reach, which gives attackers room to move laterally, persist, and pivot after compromise. The core failure is not encryption, but the size of the post-authentication blast radius. Organisations need resource-scoped policy enforcement, session controls, and segmentation that limit what any authenticated user or device can actually touch.
Q: Why do traditional VPNs increase lateral movement risk in enterprise networks?
A: Traditional VPNs usually grant network-level access instead of application-level access, so attackers can explore systems that were never intended to be reachable together. Once inside, the tunnel becomes a trust conduit. That is especially dangerous for privileged and non-human access, where a single credential can expose multiple internal services and accelerate lateral movement.
Q: How do security teams know if remote access is actually limited enough?
A: A remote access model is limited enough when a valid session can only reach the specific resources required for the task, and when posture or context changes can revoke access immediately. If a user can still browse broadly across segments, or if access survives long after a risk change, the control is not working as intended.
Q: Who is accountable when compromised access infrastructure keeps working after patching?
A: Accountability sits across platform owners, IAM teams, and security operations because patching alone does not remove persistence or confirm that access state has been cleaned up. Frameworks that matter here include least-privilege and configuration management controls, plus the operational responsibility to verify that no unauthorized access path survives remediation.
Technical breakdown
Why VPN tunnels create lateral movement risk
Traditional VPNs establish a broad network tunnel after a single authentication event. That means the access boundary is defined by network location rather than by application, session purpose, or device trust. Once inside, the user or attacker can reach many internal systems that were never meant to be exposed together. In practice, this turns one valid login into a wide blast radius. The problem is architectural, not just operational: patching a vulnerability removes one entry point, but it does not change the fact that the tunnel itself grants broad internal reach.
Practical implication: replace broad network access with resource-scoped access decisions that do not assume a tunnel equals trust.
How persistence survives patching in exposed access paths
The article describes a custom symlink-based persistence mechanism that remained active even after patching and rebooting. Persistence matters because attackers do not need to keep exploiting the original vulnerability if they can plant an access path that survives remediation. When remote access infrastructure is internet-facing and broadly trusted, an attacker can keep a foothold through files, services, or configuration states that defenders do not remove during emergency remediation. That is why cleanup has to extend beyond the CVE fix and into full asset and access-state verification.
Practical implication: validate persistence artifacts, access state, and configuration drift after patching, not just vulnerability closure.
Why direct-routed ZTNA changes the access model
Direct-routed ZTNA changes the access model by eliminating exposed gateways and making access session-specific rather than tunnel-based. The article highlights Single Packet Authorization, which hides resources until a user is verified, then opens short-lived connections only to approved destinations. That reduces the opportunity for reconnaissance, lateral movement, and long-lived persistence because there is no always-on internal path to exploit. The control value is not simply encryption. It is the removal of implicit network trust and the reduction of standing connectivity.
Practical implication: design remote access so that authorization is per resource and per session, not per network.
Threat narrative
Attacker objective: The attacker’s objective is to preserve a durable foothold inside internal networks so access can continue even after remediation actions begin.
- Entry occurred through earlier Fortinet SSL-VPN flaws that attackers were already exploiting in exposed internet-facing access infrastructure.
- Escalation followed when attackers implanted a custom symlink-based persistence mechanism that survived patching and reboot cycles.
- Impact came from continued unauthorized access and the ability to maintain a foothold for later lateral movement across the environment.
NHI Mgmt Group analysis
Implicit network trust is now a governance failure, not a convenience choice. VPNs were designed for a perimeter model that no longer reflects how attackers operate. Once authenticated, broad access enables lateral movement that identity teams cannot contain with authentication alone. Practitioners should treat network trust expansion as an identity governance issue because the session boundary becomes the real control surface.
Persistence on remote access infrastructure exposes a standing access problem, not just a vulnerability problem. The symlink backdoor example shows that patching a CVE does not necessarily remove the attacker’s presence. If access artifacts survive reboot and remediation, the organisation has failed to control the lifecycle of the access path itself. The practitioner takeaway is that access state must be monitored and revoked, not assumed clean after patching.
Direct-routed ZTNA is best understood as blast-radius reduction, not just VPN replacement. The article’s architectural contrast is really about whether internal reach is granted broadly or only to specific resources under policy control. That matters for IAM, PAM, and NHI governance because privilege should be session-scoped and resource-scoped, not network-scoped. Practitioners should evaluate whether their remote access layer still grants more trust than their identity programme can justify.
Blast-radius control is the named concept that explains why VPN-era access models keep failing. When a single authenticated session can expose whole network zones, compromise scales faster than remediation. That pattern aligns with broader security frameworks that emphasise least privilege, segmentation, and continuous verification. The practitioner conclusion is straightforward: if access design still assumes trust after login, the organisation has already accepted excess blast radius.
Identity governance must extend into access architecture, not stop at login policy. The article makes clear that session context, device posture, and resource scoping are the controls that actually interrupt attacker movement. For teams managing human identity, privileged access, and machine access, that means governance has to cover the path after authentication as much as the act of authenticating. The practitioner conclusion is to govern reach, not just credentials.
What this signals
Blast-radius control is the practical standard that remote access teams should now optimise for. If a session can still expose broad internal reach after authentication, the programme has not moved far enough from perimeter-era assumptions. Practitioners should align remote access design with Zero Trust principles and review how network policy, identity policy, and device policy intersect before the next incident forces the change.
The access layer is becoming part of identity governance, especially where administrator accounts and non-human workflows depend on remote connectivity. That means teams need clear ownership for session revocation, posture re-checks, and access-state verification, not just patch management. The more persistent the access path, the more likely it is to become an attacker’s long-term control point.
For identity programmes, the signal is that authentication is only the start of governance. Session scoping, segmentation, and conditional access need to be measurable controls, not design ideals. Where remote connectivity still functions as an always-on trust bridge, security teams should expect it to be used as one.
For practitioners
- Eliminate broad post-authentication network reach Map every remote access path to the internal resources it can reach today, then remove any tunnel that still grants implicit access to multiple segments without additional policy checks.
- Validate persistence after VPN remediation After patching remote access infrastructure, verify file integrity, startup paths, services, and symlink or configuration artefacts that could preserve unauthorized access beyond the original vulnerability fix.
- Adopt resource-scoped access enforcement Move high-risk remote access flows toward per-session and per-resource authorization so a compromised endpoint cannot use a single authenticated tunnel to pivot freely through the environment.
- Tie device posture to ongoing session control Re-check patch state, management state, and risk context during the session, and revoke access when the device no longer meets the access policy rather than waiting for a user to disconnect.
- Reduce privileged network reach for NHI and admin workflows Separate administrative and service access from general remote access paths so privileged accounts, service accounts, and operational tools do not inherit the same broad VPN reach as ordinary users.
Key takeaways
- The core problem is not simply VPN vulnerability exposure, but the broad trust model that lets one authenticated session reach too much of the environment.
- The Fortinet symlink backdoor example shows that persistence can survive patching and rebooting, which makes cleanup and access-state verification essential.
- The control that changes the outcome is resource-scoped, session-scoped access that shrinks blast radius and removes implicit network trust.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Broad remote access and lateral movement risk map to access control and least privilege. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central when VPN sessions grant more reach than required. |
| NIST Zero Trust (SP 800-207) | The article contrasts perimeter VPN trust with continuous verification and resource-scoped access. | |
| CIS Controls v8 | CIS-6 , Access Control Management | Access scope and remote access governance are the main control gaps discussed. |
| MITRE ATT&CK | TA0008 , Lateral Movement; TA0003 , Persistence | The article centres on attacker persistence and pivoting through trusted remote access. |
Use Zero Trust principles to replace implicit network trust with explicit, contextual authorisation.
Key terms
- Direct-Routed ZTNA: A Zero Trust access model that connects a verified user directly to an authorised resource without sending traffic through a shared broker or exposing a broad network tunnel. It reduces attack surface by making access short-lived, resource-specific, and dependent on policy conditions.
- Network-Level Access: A model where authentication opens a path to an internal network segment rather than to one application or service. It is efficient for connectivity, but it often creates excessive trust because any compromise can expose far more systems than the user actually needs.
- Persistence Mechanism: An artefact or configuration an attacker uses to maintain access after the original exploit is patched or the device is rebooted. Persistence can live in files, services, scheduled tasks, or other system states that remediation does not automatically remove.
- Blast Radius: The amount of damage an attacker can cause once they gain access to a system, identity, or session. Smaller blast radius means tighter scoping, fewer reachable assets, and fewer opportunities for lateral movement or long-lived compromise.
What's in the full article
Appgate's full analysis covers the operational detail this post intentionally leaves for the source:
- The specific Fortinet symlink persistence mechanics and why they survived routine remediation.
- The direct-routed ZTNA architecture details behind Single Packet Authorization and short-lived session creation.
- The access-control contrasts between VPN tunnels, brokered ZTNA paths, and per-resource enforcement models.
- The practical implications of posture checks and session revocation for remote access design.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, secrets management, and workload identity. It helps practitioners connect identity controls to the broader access and risk decisions that shape modern security programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org