All news with #fortigate tag

🚨 Security researchers say an open-source, AI-native offensive platform called CyberStrikeAI was used to automate mass scanning and exploitation of Fortinet FortiGate appliances, contributing to compromises of more than 600 devices across 55 countries. Team Cymru traced activity to a Russian-speaking actor after analyzing an IP address and observed 21 unique IPs running the tool between January 20 and February 26, 2026. The tool's GitHub maintainer, known as Ed1s0nZ, has published a range of exploitation and AI-jailbreak utilities and shows interactions with organizations linked to Chinese state cyber capabilities.

🤖 Amazon Threat Intelligence says a Russian-speaking actor used commercial generative AI services to compromise hundreds of FortiGate firewalls by exploiting exposed management interfaces and weak, single-factor credentials. Between Jan. 11 and Feb. 18 the group breached over 600 devices across 55+ countries, then accessed Active Directory, extracted credential databases, and targeted backups. Amazon recommends fundamental controls — restrict management access, enforce MFA, patch perimeter devices, improve segmentation, and enhance detection — noting the attacker’s toolkit and operational plans were largely AI-generated and publicly left on infrastructure used in the campaign.

🔒 CERT Polska disclosed coordinated, destructive cyber attacks on December 29, 2025 that targeted more than 30 wind and photovoltaic farms, a manufacturing firm, and a large combined heat and power (CHP) plant. The agency attributed the activity to the cluster it calls Static Tundra, linked to Russia's FSB Center 16, while other vendors noted similarities to Sandworm. Attackers deployed multiple wipers — notably DynoWiper and a PowerShell-based LazyWiper — exploited vulnerable FortiGate appliances, harvested credentials and exfiltrated selected M365 data, but did not succeed in disrupting electricity production or heat delivery.

🔒 Fortinet confirmed active exploitation of a FortiCloud SSO authentication bypass affecting fully patched FortiGate firewalls. The vendor said attackers exploited a new attack path that can circumvent patches addressing CVE-2025-59718 and CVE-2025-59719 by using crafted SAML messages when FortiCloud SSO is enabled. Observed activity includes creation of generic admin accounts, configuration changes to enable VPN access, and configuration exfiltration. Fortinet recommends restricting internet-facing administrative access and disabling the admin-forticloud-sso-login feature while a full remediation is finalized.

⚠️ Fortinet confirmed it is still addressing a critical FortiCloud SSO authentication bypass (CVE-2025-59718) after reports that attackers are able to bypass patches and compromise fully updated firewalls. Security firm Arctic Wolf says automated attacks beginning January 15 created VPN-access admin accounts and quickly exfiltrated firewall configurations. Fortinet advises disabling FortiCloud SSO, restricting administrative access with a local-in policy, and treating affected systems as compromised while a full fix is developed.

🚨 Cybersecurity firm Arctic Wolf reports automated attacks against Fortinet FortiGate devices that exploit the FortiCloud SSO feature to create rogue admin accounts and rapidly export firewall configurations. The campaign began January 15 and mirrors December exploitation tied to CVE-2025-59718. Observed indicators include SSO logins from cloud-init@mail.io and IP 104.28.244.114. Administrators are advised to disable FortiCloud SSO until Fortinet issues a complete fix.

🔒 Arctic Wolf warns of a new cluster of automated malicious activity that began on January 15, 2026, involving unauthorized configuration changes to Fortinet FortiGate devices. Attackers exploited SAML-related weaknesses (CVE-2025-59718, CVE-2025-59719) to bypass FortiCloud SSO, create generic admin accounts such as cloud-init@mail.io and names like secadmin or itadmin, and export firewall configurations to external IPs. Administrators are advised to disable the admin-forticloud-sso-login setting until mitigations are confirmed.

🔒 Bleeping Computer reports that attackers are actively exploiting an older FortiOS vulnerability, CVE-2020-12812, which can bypass two-factor authentication. Although Fortinet issued a patch in July 2020, researchers say at least 10,000 FortiGate firewalls remain unpatched. Administrators are urged to install the latest updates immediately to mitigate account access risks. Additional measures include restricting administrative access, rotating credentials, and monitoring logs for suspicious activity.

🔒 Fortinet warns that attackers continue to exploit a critical FortiOS vulnerability (CVE-2020-12812) that can bypass two-factor authentication on FortiGate SSL VPNs by changing the case of the username. The issue affects configurations where local users requiring FortiToken are linked to LDAP groups and stems from inconsistent case-sensitive matching between local and remote authentication. Fortinet patched the bug in July 2020 and advised disabling username case sensitivity or removing secondary LDAP group fallbacks if patches cannot be deployed; the vendor reports ongoing abuse against appliances with LDAP configured.

🔐 Fortinet has observed active abuse of FG-IR-19-283 (CVE-2020-12812) in environments where FortiGate and LDAP username case handling differ. In these configurations, a username entered with any case variation that does not exactly match the local FortiGate entry can bypass local 2FA and instead authenticate via an LDAP group fallback. Administrators should enable the appropriate username sensitivity setting or remove unnecessary secondary LDAP groups to block this bypass.

🔒 Arctic Wolf observed active intrusions on December 12, 2025 exploiting two critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719). The flaws, both scored 9.8, permit unauthenticated bypass of SSO login via crafted SAML messages when FortiCloud SSO is enabled; Fortinet published patches for FortiOS, FortiWeb, FortiProxy and FortiSwitchManager last week. Attackers used hosting IPs tied to providers such as The Constant Company llc, Bl Networks and Kaopu Cloud Hk Limited to log in as "admin" and export device configurations. Organizations should apply updates immediately, disable FortiCloud SSO until systems are patched, restrict management access and assume compromise if IoCs are present.

🏆Fortinet’s FortiGate Rugged series (FGR-50G-5G and FGR-70G-5G) earned the Red Dot Product Design Award for its fanless industrial design, integrated 5G, and purpose-built ASIC performance. Engineered for OT and critical infrastructure, the appliances combine thermal resilience, shock and moisture protection, and low-latency security functions including next-generation firewalling, SD-WAN, VPN, and AI-driven threat detection. The recognition underscores Fortinet’s focus on precision engineering and durable, field-ready security.

🌱 Fortinet has published the industry’s first Environmental Product Declaration (EPD) for the FortiGate-40F Next-Generation Firewall, verified under the new PCR 2024:06. The EPD is based on an independent Life Cycle Assessment and discloses lifecycle impacts—carbon, energy, water, materials, and waste—providing procurement teams with standardized, third-party-validated data. Fortinet views this as an initial step and plans to extend EPD coverage across additional models to support compliance, decarbonization, and sustainable procurement.