Fortinet devices under increased targeting as AI-enabled attacks scale in 2026

Threat summary

Field Effect is observing increased targeting of Fortinet devices in early 2026. This trend aligns with broader reporting on incidents in which threat actors combine scanning for vulnerabilities, exposed management interfaces, and weak or single-factor authentication to gain access to edge infrastructure.

Threat actors are increasingly applying AI-driven automation to scale operations against Fortinet firewalls, virtual private network endpoints, and security appliances. This approach lowers the skill threshold required to conduct large‑scale attacks and increases the likelihood of repeat targeting of unpatched or poorly configured edge devices.

In a recent report, Team Cymru researchers identified a surge in the use of an open-source, AI-enabled offensive security platform known as CyberStrikeAI in active campaigns targeting Fortinet FortiGate devices. This investigation followed earlier disclosures from Amazon Threat Intelligence, which linked a single internet address to an AI-assisted campaign that compromised FortiGate firewalls at scale.

March 2026 reporting from Team Cymru indicates that more than 600 FortiGate devices were compromised across 55 countries between January and February 2026, demonstrating rapid adoption of AI-enabled automation by threat actors.

Analysis

Organizations using Fortinet devices can review Field Effect’s ongoing Fortinet-focused coverage for additional technical context, timelines, and defensive guidance related to exploitation and follow-on activity. Relevant advice is available in this blog on how to reduce the risk of internet-exposed services.

Observed activity primarily takes advantage of internet‑exposed Fortinet appliances with weak authentication and limited access controls. Risk across Fortinet deployments can be reduced by prioritizing the following actions:

• Monitor Fortinet Product Security Incident Response Team notices and advisories for updated guidance related to exploitation, persistence techniques, and remediation steps, and incorporate this guidance into standard operating procedures for managed firewall environments.
• Apply current updates addressing known vulnerabilities and validate that devices are running supported firmware versions. Refer to Fortinet Product Security Incident Response Team advisories to determine whether deployed devices are affected.
• Implement access control lists for all internet-exposed services to allow access only from expected and authorized IP ranges or geographic locations.
• Enforce multi-factor authentication (MFA) for all accounts accessible via external services to provide additional protection against credential-based access.
• Review FortiGate local administrator and virtual private network user (VPN) accounts to identify and remove legacy or unused accounts. Rotate credentials for remaining accounts, particularly those with administrative privileges or remote access capabilities.
• Rotate credentials for directory bind accounts referenced in FortiGate authentication configurations. Restrict these accounts to authentication-only permissions and remove any directory modification or administrative rights not required for their function.
• Reduce exposure of management and remote access services. Disable Secure Sockets Layer virtual private network (SSL-VPN) and management interfaces where they are not required. Where remote access is necessary for business operations, limit access to known source networks and enforce strong authentication controls, including MFA where supported.
• Review FortiGate authentication and administrative access logs for anomalous activity, including successful logins from unexpected networks, service providers, or geographic locations. Pay particular attention to access patterns consistent with automated scanning or large-scale credential testing. Where exploitation may have occurred, review affected devices for residual post-exploitation artifacts.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up