FortiGate exposed management interface exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
FortiGate management interfaces were hit by an automated exploitation wave that abused internet-exposed ports and commonly reused credentials to compromise 600+ devices across 55 countries. The activity ran from January 11 to February 18, 2026, and later reporting linked the same campaign to the open-source AI-native tool CyberStrikeAI and to use of Anthropic Claude and DeepSeek. The risk is mass appliance compromise even without a FortiGate vulnerability being exploited, because stolen device configurations can expose credentials, network topology, and downstream access paths for later intrusion.
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
FortiBleed Fortinet credential-theft campaign
Campaign
H score89
First: 19.06.2026 13:48
Last: 19.06.2026 13:48
Sources 1
About this happening:
The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
FortiBleed Fortinet credential-theft campaign
CampaignAbout this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...
Latest development: 22.06.2026 11:30
The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
Campaign
H score82
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
CampaignAbout this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
OceanLotus SPECTRALVIPER campaigns targeting Vietnam
Campaign
H score33
First: 11.06.2026 12:45
Last: 11.06.2026 12:45
Sources 1
About this happening:
**OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...
OceanLotus SPECTRALVIPER campaigns targeting Vietnam
CampaignAbout this happening: **OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...
Timeline
-
21.02.2026 16:49 1 articles · 4mo ago
Initial FortiGate management interface exploitation
Exploitation ObservedFortiGate management interfaces exposed to the internet were targeted with automated scanning on ports 443, 8443, 10443, and 4443, followed by authentication attempts using commonly reused credentials to access device configurations and extract credentials and network topology information from affected organizations.
Show sources
- AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries — thehackernews.com — 21.02.2026 16:49
-
21.02.2026 16:49 3 articles · 4mo ago
Amazon discloses AI-assisted FortiGate compromise campaign
Initial DisclosureAmazon Threat Intelligence publicly assessed a Russian-speaking, financially motivated threat actor as having used commercial generative AI tools to compromise more than 600 FortiGate devices in 55 countries by abusing exposed management ports and weak single-factor credentials rather than FortiGate vulnerabilities.
Show sources
- AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries — thehackernews.com — 21.02.2026 16:49
- AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries — thehackernews.com — 21.02.2026 16:49
- Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries — thehackernews.com — 03.03.2026 16:29