Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

FortiGate exposed management interface exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 39
1 unique sources, 2 articles

Summary

Hide ▲

FortiGate management interfaces were hit by an automated exploitation wave that abused internet-exposed ports and commonly reused credentials to compromise 600+ devices across 55 countries. The activity ran from January 11 to February 18, 2026, and later reporting linked the same campaign to the open-source AI-native tool CyberStrikeAI and to use of Anthropic Claude and DeepSeek. The risk is mass appliance compromise even without a FortiGate vulnerability being exploited, because stolen device configurations can expose credentials, network topology, and downstream access paths for later intrusion.

Related Happenings

Fortinet security patch release for CVE-2026-44277

Security Patch Release
First: 12.05.2026 21:23 Last: 12.05.2026 21:23 Sources 1

About this happening: Fortinet released **security updates** for **FortiSandbox** and **FortiAuthenticator** to fix **two critical vulnerabilities** that could let an **unauthenticated attacker** execu...

Open Happening

Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices

Target Trend
First: 15.04.2026 12:30 Last: 15.04.2026 12:30 Sources 1

About this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...

Open Happening

Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)

Security Patch Release
First: 07.04.2026 12:26 Last: 07.04.2026 12:26 Sources 1

About this happening: **Fortinet** released an **emergency hotfix** for **FortiClient Enterprise Management Server (EMS)** after confirming **active exploitation** of **CVE-2026-35616**, a critical fla...

Open Happening

Fortinet FortiClient EMS SQL injection actively exploited SQL injection flaw (CVE-2026-21643)

Vulnerability
First: 30.03.2026 10:48 Last: 30.03.2026 10:48 Sources 1

About this happening: Active exploitation of **CVE-2026-21643** is putting **Fortinet FortiClient EMS** deployments at risk of **unauthenticated arbitrary code or command execution** on unpatched syste...

Open Happening

Interlock Cisco Secure Firewall Management Center zero-day exploitation wave

Exploitation Wave
First: 18.03.2026 18:53 Last: 18.03.2026 18:53 Sources 1

About this happening: A **zero-day exploitation wave** tied to **Interlock** has been hitting **Cisco Secure Firewall Management Center (FMC)**, putting **enterprise firewalls** at risk before patching...

Open Happening

Timeline

  1. 21.02.2026 16:49 1 articles · 3mo ago

    Initial FortiGate management interface exploitation

    Exploitation Observed

    FortiGate management interfaces exposed to the internet were targeted with automated scanning on ports 443, 8443, 10443, and 4443, followed by authentication attempts using commonly reused credentials to access device configurations and extract credentials and network topology information from affected organizations.

    Show sources
    Open in new tab
  2. 21.02.2026 16:49 3 articles · 3mo ago

    Amazon discloses AI-assisted FortiGate compromise campaign

    Initial Disclosure

    Amazon Threat Intelligence publicly assessed a Russian-speaking, financially motivated threat actor as having used commercial generative AI tools to compromise more than 600 FortiGate devices in 55 countries by abusing exposed management ports and weak single-factor credentials rather than FortiGate vulnerabilities.

    Show sources
    Open in new tab