Executive Summary
Between January 11 and February 18, 2026, a Russian-speaking, financially motivated threat actor utilized multiple commercial generative AI services to compromise over 600 Fortinet FortiGate firewalls across more than 55 countries. The attacker exploited exposed management interfaces and weak credentials lacking multi-factor authentication, without leveraging any known FortiGate vulnerabilities. This campaign underscores the growing trend of cybercriminals employing AI tools to automate and scale attacks, significantly reducing the technical expertise required to execute large-scale intrusions. The incident highlights the urgent need for organizations to secure management interfaces, enforce strong authentication mechanisms, and stay vigilant against AI-assisted cyber threats.
Why This Matters Now
This incident underscores the escalating use of AI by cybercriminals to automate and scale attacks, reducing the technical barriers for large-scale intrusions. Organizations must urgently secure management interfaces, enforce strong authentication mechanisms, and stay vigilant against AI-assisted cyber threats.
Attack Path Analysis
The adversary initiated the attack by exploiting exposed management interfaces and weak credentials on FortiGate firewalls, leading to unauthorized access. Once inside, they escalated privileges to extract sensitive configurations and credentials. The attacker then moved laterally within the network, leveraging the compromised firewalls to access additional systems. They established command and control channels to maintain persistent access and orchestrate further actions. Sensitive data, including SSL-VPN credentials and network configurations, were exfiltrated. The attack culminated in the potential for significant operational disruption and data compromise.
Kill Chain Progression
Initial Compromise
Description
The adversary exploited exposed management interfaces and weak credentials on FortiGate firewalls to gain unauthorized access.
Related CVEs
CVE-2025-64446
CVSS 9.8A critical path traversal vulnerability in FortiWeb allows unauthenticated attackers to execute administrative commands via crafted HTTP or HTTPS requests.
Affected Products:
Fortinet FortiWeb – 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.11
Exploit Status:
exploited in the wildCVE-2024-55591
CVSS 9.8An authentication bypass vulnerability in FortiOS and FortiProxy allows remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module.
Affected Products:
Fortinet FortiOS – 7.0.0 through 7.0.16
Fortinet FortiProxy – 7.2.0 through 7.2.12, 7.0.0 through 7.0.19
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Obtain Capabilities: Artificial Intelligence
External Remote Services
Brute Force
OS Credential Dumping
Account Discovery
Command and Scripting Interpreter
Exploitation of Remote Services
Network Service Scanning
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – System Monitoring
Control ID: SI-4
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Identity and Access Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
AI-enhanced cyber espionage targeting FortiGate appliances directly threatens security infrastructure, compromising zero trust implementations and encrypted traffic protection across 55 countries globally.
Government Administration
State-sponsored CyberStrikeAI attacks exploit government network segmentation vulnerabilities, enabling lateral movement and data exfiltration through compromised FortiGate devices in critical infrastructure.
Financial Services
Mass automated scanning threatens PCI compliance requirements, with egress security failures potentially exposing encrypted financial transactions and enabling unauthorized data exfiltration attempts.
Information Technology/IT
Open-source offensive AI tools compromise multicloud visibility and Kubernetes security, creating systematic vulnerabilities in hybrid connectivity and threat detection capabilities nationwide.
Sources
- Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countrieshttps://thehackernews.com/2026/03/open-source-cyberstrikeai-deployed-in.htmlVerified
- Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerabilityhttps://www.securityweek.com/fortinet-confirms-active-exploitation-of-critical-fortiweb-vulnerability/Verified
- CVE-2025-64446 (CVSS 9.1) Fortinet Exploited in Major AI and Phishing Campaignshttps://www.purple-ops.io/resources-hottest-cves/fortinet-ai-phishing-cve/Verified
- Attackers exploiting critical Fortinet zero-day vulnerabilityhttps://www.techtarget.com/searchsecurity/news/366618095/Attackers-exploiting-critical-Fortinet-zero-day-vulnerabilityVerified
- Fortinet Confirms New Zero-Day Exploitationhttps://www.securityweek.com/fortinet-confirms-new-zero-day-exploitation/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit exposed interfaces, escalate privileges, and move laterally, thereby reducing the potential blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit exposed management interfaces and weak credentials would likely be constrained, reducing the risk of unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and access sensitive configurations would likely be constrained, reducing the risk of unauthorized data extraction.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the risk of further system compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained, reducing the risk of persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss.
The overall impact of the attack would likely be constrained, reducing the risk of significant operational disruption and data compromise.
Impact at a Glance
Affected Business Functions
- Network Security Management
- Web Application Protection
- Remote Access Services
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive corporate data due to unauthorized administrative access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Enforce Multi-Factor Authentication (MFA) on all management interfaces to prevent unauthorized access due to weak credentials.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, mitigating lateral movement by attackers.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities indicative of compromise.
- • Regularly update and patch all systems, including firewalls, to address known vulnerabilities and reduce the attack surface.
