Executive Summary
Between January 11 and February 18, 2026, a Russian-speaking threat actor utilized commercial generative AI tools to compromise over 600 Fortinet FortiGate firewalls across 55 countries. The attacker exploited exposed management interfaces and weak credentials lacking two-factor authentication, without leveraging any specific software vulnerabilities. Once access was gained, AI-generated scripts were employed to extract and decrypt sensitive data, including SSL-VPN credentials, administrative passwords, and network configurations. This information facilitated further network infiltration and reconnaissance activities. (cybernews.com)
This incident underscores the evolving threat landscape where AI tools enable even low-skilled attackers to execute large-scale, sophisticated cyberattacks. Organizations must reassess their security postures, emphasizing the importance of robust authentication mechanisms and the need to secure management interfaces against unauthorized access.
Why This Matters Now
The use of AI in cyberattacks is lowering the barrier for entry, allowing less skilled individuals to perform complex breaches. This trend necessitates immediate action to strengthen security protocols, particularly in safeguarding critical infrastructure components like firewalls.
Attack Path Analysis
An unsophisticated threat actor exploited exposed FortiGate management interfaces and weak credentials to gain initial access. Once inside, they escalated privileges by extracting and decrypting administrative credentials. The attacker then moved laterally within the network using AI-generated reconnaissance tools. They established command and control by creating VPN accounts on compromised devices. Sensitive data, including SSL-VPN credentials and firewall policies, was exfiltrated. The impact included unauthorized access to internal networks and potential data breaches.
Kill Chain Progression
Initial Compromise
Description
The attacker scanned for exposed FortiGate management interfaces and used brute-force methods to log in using weak credentials.
Related CVEs
CVE-2025-59718
CVSS 9.8An authentication bypass vulnerability in Fortinet's FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiOS – 7.4.10
Fortinet FortiProxy – 7.4.10
Fortinet FortiSwitchManager – 7.4.10
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An authentication bypass vulnerability in Fortinet's FortiWeb allows unauthenticated remote attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiWeb – 7.4.10
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
Valid Accounts
Masquerading
Impair Defenses: Disable or Modify Network Device Firewall
Compromise Infrastructure: Network Devices
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Remote Access
Control ID: AC-17
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Multi-Factor Authentication
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
ATM jackpotting attacks targeting financial infrastructure create direct monetary losses while multi-vector campaigns exploit weak authentication and unencrypted traffic flows.
Oil/Energy/Solar/Greentech
Critical infrastructure faces multi-vector campaigns with wiper malware attacks, requiring enhanced zero trust segmentation and encrypted traffic protection for operational resilience.
Computer/Network Security
FortiGate device compromises demonstrate exposed management ports vulnerabilities, necessitating stronger authentication, traffic encryption, and east-west traffic security controls across network infrastructure.
Government Administration
Multi-vector campaigns targeting critical infrastructure require enhanced threat detection, zero trust implementation, and compliance with NIST frameworks for national security protection.
Sources
- This month in security with Tony Anscombe – February 2026 editionhttps://www.welivesecurity.com/en/videos/month-security-tony-anscombe-february-2026/Verified
- AI-augmented threat actor accesses FortiGate devices at scalehttps://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/Verified
- PromptSpy ushers in the era of Android threats using GenAIhttps://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/Verified
- Cashing Out: ATM Jackpotting Attacks Surging Across UShttps://www.govinfosecurity.com/cashing-out-atm-jackpotting-attacks-surging-across-us-a-30812Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's lateral movement and data exfiltration by enforcing strict segmentation and identity-aware policies, thereby reducing the blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit exposed management interfaces may have been limited, reducing the likelihood of unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained, limiting their access to sensitive credentials.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network may have been restricted, reducing the scope of the intrusion.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish persistent command and control channels could have been limited, reducing their control over compromised devices.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, reducing the risk of data breaches.
The overall impact of the breach could have been limited, reducing the exposure of sensitive data and internal configurations.
Impact at a Glance
Affected Business Functions
- Network Security Management
- User Authentication Services
- Remote Access Management
Estimated downtime: 7 days
Estimated loss: $500,000
Administrative credentials, SSL-VPN user credentials, firewall policies, internal network architecture details.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Enforce Multi-Factor Authentication (MFA) on all administrative interfaces to prevent unauthorized access.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities in real-time.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Regularly audit and update credentials, ensuring the use of strong, unique passwords to mitigate brute-force attacks.
