Executive Summary
Between January 11 and February 18, 2026, a Russian-speaking, financially motivated threat actor leveraged commercial generative AI services to compromise over 600 FortiGate devices across more than 55 countries. The attackers exploited exposed management ports and weak, single-factor authentication credentials, without utilizing any known FortiGate vulnerabilities. This campaign enabled the threat actor to extract full device configurations, including credentials and network topology information, facilitating further post-exploitation activities such as Active Directory compromise and credential harvesting. (aws.amazon.com)
This incident underscores the evolving threat landscape where AI tools lower the technical barrier for cybercriminals, allowing even those with limited skills to execute large-scale attacks. Organizations must prioritize fundamental security measures, including securing management interfaces, enforcing strong authentication protocols, and maintaining vigilant monitoring to detect and respond to such AI-augmented threats.
Why This Matters Now
The increasing accessibility of AI tools is enabling less sophisticated threat actors to conduct large-scale cyberattacks, making it imperative for organizations to reinforce basic security practices to mitigate these emerging risks.
Attack Path Analysis
The adversary exploited exposed FortiGate management interfaces with weak credentials to gain initial access. They escalated privileges by extracting administrative credentials from device configurations. Using these credentials, they moved laterally to compromise Active Directory and backup infrastructure. The attacker established command and control channels to maintain access. They exfiltrated sensitive data, including complete credential databases. The campaign's impact included potential ransomware deployment and disruption of victim organizations.
Kill Chain Progression
Initial Compromise
Description
The adversary exploited exposed FortiGate management interfaces with weak credentials to gain initial access.
Related CVEs
CVE-2025-59718
CVSS 9.8An authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager allows remote attackers to create unauthorized administrator accounts and steal firewall configuration data.
Affected Products:
Fortinet FortiOS – 7.4.0 to 7.4.10, 7.2.0 to 7.2.8, 7.0.0 to 7.0.15
Fortinet FortiProxy – 7.4.0 to 7.4.2, 7.2.0 to 7.2.6, 7.0.0 to 7.0.11
Fortinet FortiSwitchManager – 7.2.0 to 7.2.3, 7.0.0 to 7.0.3
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An authentication bypass vulnerability in FortiWeb allows remote attackers to create unauthorized administrator accounts and steal firewall configuration data.
Affected Products:
Fortinet FortiWeb – 7.4.0 to 7.4.2, 7.2.0 to 7.2.6, 7.0.0 to 7.0.11
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Obtain Capabilities: Artificial Intelligence
Valid Accounts
Brute Force: Password Guessing
Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
OS Credential Dumping
Application Layer Protocol
Remote Services: Remote Desktop Protocol
Service Stop
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Users
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
AI-augmented credential attacks targeting FortiGate devices threaten IT infrastructure, requiring enhanced zero trust segmentation and encrypted traffic controls.
Financial Services
Ransomware precursor activities targeting backup infrastructure pose critical risk to financial operations, demanding robust egress security and anomaly detection.
Health Care / Life Sciences
HIPAA compliance violations from lateral movement and data exfiltration through compromised network devices require immediate east-west traffic security implementation.
Government Administration
State-level cybersecurity implications from Russian-speaking threat actors exploiting government network infrastructure through credential-based intrusions and Active Directory compromise.
Sources
- AI-augmented threat actor accesses FortiGate devices at scalehttps://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/Verified
- Fortinet FortiGate devices hit in automated attacks which create rogue accounts and steal firewall datahttps://www.techradar.com/pro/security/fortinet-fortigate-devices-hit-in-automated-attacks-which-create-rogue-accounts-and-steal-firewall-dataVerified
- Attackers are exploiting auth bypass vulnerability on FortiGate firewalls (CVE-2025-59718)https://www.helpnetsecurity.com/2025/12/17/fortigate-vulnerability-cve-2025-59718-exploited/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's lateral movement and data exfiltration by enforcing strict segmentation and identity-aware policies, thereby reducing the blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit exposed management interfaces may have been limited by enforcing strict access controls and continuous monitoring.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained by limiting access to sensitive configurations and enforcing least-privilege access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been restricted by enforcing segmentation and monitoring east-west traffic.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may have been detected and disrupted by monitoring and controlling outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data may have been prevented by enforcing strict egress policies and monitoring outbound data transfers.
The overall impact of the campaign may have been mitigated by reducing the attacker's ability to move laterally and exfiltrate data.
Impact at a Glance
Affected Business Functions
- Network Security Management
- Remote Access Services
- User Authentication Systems
Estimated downtime: 7 days
Estimated loss: $500,000
Firewall configurations, administrative credentials, VPN settings, and network topology information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access between workloads and enforce least privilege.
- • Enforce Multi-Factor Authentication (MFA) for all administrative and VPN access to prevent unauthorized access.
- • Deploy Inline Intrusion Prevention Systems (IPS) to detect and block malicious traffic patterns.
- • Utilize Threat Detection & Anomaly Response tools to identify and respond to suspicious activities.
- • Regularly audit and rotate credentials, especially for devices with exposed management interfaces.
