How did attackers automate the compromise of Fortinet devices?

Threat actors used scripts or automated tools to scan, access, and exfiltrate configuration data at scale, even targeting devices previously thought secure due to being patched.

Could this breach have been prevented?

Enhanced zero trust segmentation, continuous monitoring, and rapid patch and configuration management would have significantly reduced the risk and impact of this breach.

This entry was generated by Aviatrix’s agentic AI workflow using verified public sources. It has not been reviewed or confirmed by human analysts. This content is provided for research and awareness only and should not be used as the sole basis for security, operational, or policy decisions. The entry may be updated as verification progresses or new information emerges. Aviatrix disclaims all liability for any and all damages resulting from decisions based on this entry.

Fortinet Firewalls Compromised: 2024 Malicious Configuration Attack Exposes Networks

Automated breaches of Fortinet firewalls in 2024 allowed attackers to steal configuration files and expose critical network details, even on fully patched devices. Discover what went wrong and how to prevent future incidents.

Published: January 23, 2026

Share this on:

Executive Summary

In early 2024, threat actors exploited unpatched and even fully patched Fortinet FortiGate firewalls, deploying malicious automation to illicitly access and exfiltrate firewall configuration files. Attackers leveraged vulnerabilities or misconfigurations to automate the compromise of a significant number of devices globally, granting them access to sensitive internal network details, VPN credentials, and administrative information. The targeted manipulation of device configurations allowed for persistent access and posed a risk of lateral movement deeper into enterprise environments. Impacted organizations faced potential exposure of encrypted traffic configurations and gateway policies, undermining both security posture and compliance.

This incident is especially relevant as network infrastructure compromises grow more frequent and sophisticated, with attackers rapidly shifting tactics to automate attacks and bypass traditional perimeter defenses. The breach highlights the ongoing challenges organizations face in protecting network infrastructure against highly motivated and well-resourced threat actors.

Why This Matters Now

Attackers are increasingly targeting critical network infrastructure as an initial entry point, often succeeding even against well-maintained, patched systems. The Fortinet incident reveals attackers’ ability to automate exploitation at scale, making it urgent for organizations to re-evaluate segmentation, monitoring, and response capabilities to defend against advanced persistent threats.

Attack Path Analysis

Attackers exploited a vulnerability or misconfiguration in exposed FortiGate firewalls to gain initial access, followed by escalation of privileges to modify system settings. They then moved laterally across network infrastructure, possibly targeting other systems. Malicious configuration changes enabled the establishment of command and control, allowing ongoing access. Firewall configuration files—potentially containing credentials—were exfiltrated, risking further compromise. Finally, attackers left organizations exposed to further attacks, data theft, or operational disruptions stemming from altered firewall states.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

High

Impact

Mediuminferred

Initial Compromise

Description

Exploitation of an external-facing firewall vulnerability or misconfiguration to gain unauthorized administrative access to FortiGate devices.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-64446
CVSS 9.1
A relative path traversal vulnerability in FortiWeb allows unauthenticated attackers to execute administrative commands via crafted HTTP or HTTPS requests.
Affected Products:
Fortinet FortiWeb – 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.11
Exploit Status:
exploited in the wild
References:
https://www.fortiguard.com/psirt/FG-IR-25-001 https://www.cisa.gov/known-exploited-vulnerabilities-catalog
CVE-2025-58034
CVSS 7.2
An OS command injection vulnerability in FortiWeb allows unauthenticated attackers to execute arbitrary OS commands via crafted HTTP requests or CLI commands.
Affected Products:
Fortinet FortiWeb – 7.0.0 through 7.0.11, 7.2.0 through 7.2 ... , 7.4.0 through ... 10, 7.6.0 through ... 5, 8.0.0 through ...
Exploit Status:
exploited in the wild
References:
https://www.fortiguard.com/psirt/FG-IR-25-002 https://www.cisa.gov/known-exploited-vulnerabilities-catalog
CVE-2025-59718
CVSS 9.8
An authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiOS – 7.0.0 through ... 16, 7.2.0 through ... 12
Fortinet FortiProxy – 7.0.0 through ... 19, 7.2.0 through ... 12
Fortinet FortiSwitchManager – 7.0.0 through ... 16, 7.2.0 through ... 12
Exploit Status:
exploited in the wild
References:
https://www.fortiguard.com/psirt/FG-IR-25-003 https://www.cisa.gov/known-exploited-vulnerabilities-catalog
CVE-2025-59719
CVSS 9.8
An authentication bypass vulnerability in FortiWeb allows unauthenticated remote attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiWeb – 7.0.0 through ... , 7.2.0 through ... , 7.4.0 through ... 10, 7.6.0 through ... 5, 8.0.0 through ...
Exploit Status:
exploited in the wild
References:
https://www.fortiguard.com/psirt/FG-IR-25-004 https://www.cisa.gov/known-exploited-vulnerabilities-catalog

MITRE ATT&CK® Techniques

This MITRE ATT&CK mapping reflects core techniques observed or likely in firewall configuration theft and manipulation; further enrichment is possible with full STIX/TAXII context.

Initial Access

T1190

Exploit Public-Facing Application

Impact

T1565.001

Data Manipulation: Stored Data Manipulation

Credential Access

T1003.008

OS Credential Dumping: /etc/passwd and /etc/shadow

Credential Access

T1081

Credentials in Files

Collection

T1119

Automated Collection

Exfiltration

T1020

Automated Exfiltration

Defense Evasion

T1078

Valid Accounts

Defense Evasion

T1562.001

Impair Defenses: Disable or Modify Firewall

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Implement Strong Access Controls for Network Components

Control ID: 1.4.1

Unauthorized access and manipulation of firewall configurations indicate that access controls or monitoring of critical network components were insufficient.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

Malicious changes to firewall devices suggest a lack of effective cybersecurity policy implementation and failure to safeguard infrastructure in accordance with NYDFS requirements.

DORA – ICT Risk Management Framework

Control ID: Article 9

The compromise of network infrastructure highlights insufficient ICT risk management and change management controls as required under DORA.

CISA ZTMM 2.0 – Enforce Rigorous Network Segmentation and Firewall Protection

Control ID: Network and Environment: Segmentation and Perimeter Controls

Threat actors were able to alter and exfiltrate firewall configurations, demonstrating gaps in zero trust perimeter and segmentation protection.

NIS2 Directive – Technical and Organizational Measures

Control ID: Article 21

Failure to prevent unauthorized configuration changes contravenes requirements for adequate technical and organizational cybersecurity measures under NIS2.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

Fortinet firewall compromises threaten financial institutions' network infrastructure, enabling lateral movement and data exfiltration through malicious configuration changes bypassing zero trust segmentation.

Health Care / Life Sciences

Healthcare networks face critical HIPAA compliance violations as compromised FortiGate devices expose patient data through unencrypted traffic and weakened east-west traffic security controls.

Government Administration

Government agencies experience severe network infrastructure compromise risks with automated FortiGate infections potentially exposing classified communications and enabling persistent threat actor access.

Information Technology/IT

IT service providers face cascading security failures as compromised Fortinet firewalls undermine client network defenses, threatening multicloud visibility and egress security enforcement capabilities.

Sources

Fortinet Firewalls Hit With Malicious Configuration Changeshttps://www.darkreading.com/cloud-security/fortinet-firewalls-malicious-configuration-changes
Verified

Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerabilityhttps://www.securityweek.com/fortinet-confirms-active-exploitation-of-critical-fortiweb-vulnerability/

Verified

Fortinet’s critical bug quietly exploited in the wildhttps://csecweekly.com/p/fortinet-s-critical-bug-quietly-exploited-in-the-wild

Verified

Fortinet Firewalls Hit with New Zero-Day Attack, Older Data Leakhttps://www.rapid7.com/blog/post/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/

Verified

Frequently Asked Questions

The breach highlighted gaps in network segmentation, encrypted traffic controls, and real-time monitoring, all of which are key requirements in frameworks like PCI DSS, HIPAA, and NIST 800-53.

Cloud Native Security Fabric Mitigations and ControlsCNSF

CNSF controls such as Zero Trust Segmentation, east-west traffic security, egress policy enforcement, and multicloud visibility could have prevented or rapidly detected attacker movement, unauthorized configuration access, and exfiltration of sensitive firewall files, limiting the attack’s blast radius and dwell time.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: Inline autonomous enforcement reduces exposed attack surface and rapidly blocks malicious ingress attempts.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Isolation of management planes and least privilege boundaries prevent unauthorized escalation.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Lateral movement detection and blocking limits adversary progression beyond initial foothold.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Anomalous control traffic and remote access patterns can be detected and flagged in real-time.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Data exfiltration by unauthorized destinations is blocked and/or alerted.

Impact (Mitigations)

Runtime firewall controls halt further unauthorized changes and suspicious outbound activity.

Impact at a Glance

Affected Business Functions

Network Security Operations
Data Protection
Compliance Monitoring

Operational Disruption

Estimated downtime: 5 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Unauthorized access to firewall configuration files may lead to exposure of sensitive network configurations, administrative credentials, and security policies, potentially facilitating further attacks or data breaches.

Recommended Actions

• Enforce microsegmentation and restrict management access to firewall devices via identity-based Zero Trust Segmentation controls.
• Apply east-west traffic policies to restrict lateral movement and monitor for anomalous workload behavior within and across regions.
• Mandate strong egress controls and content inspection to prevent unwanted exfiltration of device configurations or sensitive data.
• Enable centralized, real-time visibility and anomaly detection on all control and data plane traffic for rapid threat response.
• Regularly review and update firewall firmware and configurations, leveraging automation to detect and block known exploit attempts.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Get a Free Workload Attack Path Assessment Under Active Attack?

Fortinet Firewalls Compromised: 2024 Malicious Configuration Attack Exposes Networks

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-64446

Affected Products:

Exploit Status:

References:

CVE-2025-58034

Affected Products:

Exploit Status:

References:

CVE-2025-59718

Affected Products:

Exploit Status:

References:

CVE-2025-59719

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Data Manipulation: Stored Data Manipulation

OS Credential Dumping: /etc/passwd and /etc/shadow

Credentials in Files

Automated Collection

Automated Exfiltration

Valid Accounts

Impair Defenses: Disable or Modify Firewall

Potential Compliance Exposure

PCI DSS 4.0 – Implement Strong Access Controls for Network Components

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Enforce Rigorous Network Segmentation and Firewall Protection

NIS2 Directive – Technical and Organizational Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Government Administration

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads