Why were 600+ FortiGate firewalls breached?

A scaled, AI-augmented campaign targeted vulnerable appliances

Security teams traced a fast-moving intrusion that hit hundreds of FortiGate firewall appliances. Cloud provider reporting and follow-up investigations show the campaign combined off‑the‑shelf exploit tools with generative AI to automate reconnaissance, tailor payloads and scale attacks across many targets in a short time.

The attackers focused on known, exploitable FortiGate flaws and used automation to sweep for exposed devices. Once a device was compromised, adversaries moved quickly to extract credentials, modify configurations and, in some cases, pivot deeper into corporate networks. Reporting indicates the operation affected more than 600 devices across dozens of countries in a span of weeks and appears tied to a Russian‑speaking cybercrime group.

Why it matters

• Network perimeter devices like firewalls are high‑value targets because they guard broad swathes of infrastructure; compromises can yield lateral access.
• The use of generative AI made repetitive, context‑sensitive steps faster and cheaper for attackers, lowering the skill and time needed to execute mass campaigns.
• Widespread exploitation of a single vendor’s appliances highlights supply‑chain and patching challenges: many organizations still run internet‑exposed legacy devices or delayed updates.

Immediate takeaways for defenders

1. Prioritize patching and mitigate known FortiGate vulnerabilities immediately if applicable.
2. Audit remote access and administrative accounts, rotate credentials and enforce multi‑factor authentication.
3. Monitor for signs of post‑compromise activity such as unusual admin logins, config changes and suspicious outbound connections.

It’s still unclear how complete the attacker’s access was in every case or whether long‑term persistence has been eradicated from all affected networks. The incident underscores that AI accelerates both defensive and offensive tooling; organizations must treat automation in attackers’ hands as a force multiplier and raise their operational tempo accordingly.