Find notable cyber news and cases, enriched with sources, timelines, and signals.

FortiGate exposed management interface exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 35
1 unique sources, 2 articles

Summary

Hide ▲

FortiGate management interfaces were hit by an automated exploitation wave that abused internet-exposed ports and commonly reused credentials to compromise 600+ devices across 55 countries. The activity ran from January 11 to February 18, 2026, and later reporting linked the same campaign to the open-source AI-native tool CyberStrikeAI and to use of Anthropic Claude and DeepSeek. The risk is mass appliance compromise even without a FortiGate vulnerability being exploited, because stolen device configurations can expose credentials, network topology, and downstream access paths for later intrusion.

Related Happenings

FortiBleed multi-vendor brute-force wave

Exploitation Wave
H score75 First: 23.06.2026 21:20 Last: 23.06.2026 21:20 Sources 1

About this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

About this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...

Latest development: 23.06.2026 13:30

On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.

FortiBleed Fortinet credential-theft campaign

Campaign
H score89 First: 19.06.2026 13:48 Last: 19.06.2026 13:48 Sources 1

About this happening: The **FortiBleed** Happening is a global **Fortinet credential-theft** campaign affecting **FortiGate firewall** and **SSL VPN** customers. The **UK’s NCSC** issued guidance after...

Latest development: 22.06.2026 11:30

The UK’s National Cyber Security Centre issued guidance for Fortinet customers impacted by FortiBleed after the campaign exposed around 75,000 credentials from FortiGate firewall and SSL VPN customers. The NCSC urged affected organizations to use Hudson Rock’s or SOCRadar’s FortiBleed checker tools and then review indicators of compromise such as unauthorized account creation and unexpected activity in log files.

Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign

Campaign
H score82 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...

OceanLotus SPECTRALVIPER campaigns targeting Vietnam

Campaign
H score33 First: 11.06.2026 12:45 Last: 11.06.2026 12:45 Sources 1

About this happening: **OceanLotus** expanded its **Vietnam-focused espionage operations** with two attributed campaigns using **SPECTRALVIPER**, broadening risk to a **Vietnamese infrastructure and tr...

Timeline

  1. 21.02.2026 16:49 1 articles · 4mo ago

    Initial FortiGate management interface exploitation

    Exploitation Observed

    FortiGate management interfaces exposed to the internet were targeted with automated scanning on ports 443, 8443, 10443, and 4443, followed by authentication attempts using commonly reused credentials to access device configurations and extract credentials and network topology information from affected organizations.

    Show sources
  2. 21.02.2026 16:49 3 articles · 4mo ago

    Amazon discloses AI-assisted FortiGate compromise campaign

    Initial Disclosure

    Amazon Threat Intelligence publicly assessed a Russian-speaking, financially motivated threat actor as having used commercial generative AI tools to compromise more than 600 FortiGate devices in 55 countries by abusing exposed management ports and weak single-factor credentials rather than FortiGate vulnerabilities.

    Show sources