Tag: fortinet
-
FortiGate Firewall Exploitation Fuels Network Breaches in New Attack Wave
Tags: attack, breach, credentials, cve, cyber, cybersecurity, exploit, firewall, flaw, fortinet, network, threat, vulnerabilityCybersecurity defenders identified a surge in network breaches originating from compromised FortiGate Next-Generation Firewalls. According to incident responders at SentinelOne, threat actors exploit recent vulnerabilities to extract configuration files, steal credentials, and establish deep network footholds. Attackers are primarily leveraging flaws in Fortinet’s Single Sign-On mechanisms. Vulnerabilities like CVE-2025-59718, CVE-2025-59719, and the recently patched CVE-2026-24858…
-
Storm-2561 lures victims to spoofed VPN sites to harvest corporate logins
Attackers linked to Storm-2561 use SEO-poisoned search results to lure users to fake Ivanti, Cisco, and Fortinet VPN sites that steal corporate login credentials. In mid-January 2026, Microsoft Defender Experts uncovered a credential-theft campaign attributed to Storm-2561. Threat actor is spreading fake enterprise VPN clients impersonating Ivanti, Cisco, and Fortinet software. By poisoning search engine…
-
Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others
And then they send victims to the legit VPN download to hide their tracks First seen on theregister.com Jump to article: www.theregister.com/2026/03/13/vpn_clients_spoofed/
-
Fake enterprise VPN sites used to steal company credentials
A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/fake-enterprise-vpn-downloads-used-to-steal-company-credentials/
-
Fake enterprise VPN sites used to steal company credentials
A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/fake-enterprise-vpn-downloads-used-to-steal-company-credentials/
-
Fake enterprise VPN downloads used to steal company credentials
A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/fake-enterprise-vpn-downloads-used-to-steal-company-credentials/
-
Zero-day exploits hit enterprises faster and harder
Tags: access, apple, attack, backdoor, business, china, cisco, cve, data, detection, endpoint, espionage, exploit, firewall, flaw, fortinet, google, group, hacker, infrastructure, ivanti, least-privilege, mobile, network, oracle, radius, ransomware, risk, router, russia, service, software, technology, threat, update, vpn, vulnerability, zero-dayEnterprise environments under siege: Chinese threat actors continued to display a preference for targets that are difficult to monitor and allow persistent access to strategic networks. Notable examples include the groups that GTIG tracks as UNC5221, which exploited a flaw in Ivanti Connect Secure (CVE-2025-0282) and UNC3886, which exploited a vulnerability in Juniper routers (CVE-2025-21590).Another…
-
State-affiliated hackers set up for critical OT attacks that operators may not detect
Tags: access, antivirus, attack, conference, control, credentials, cyberattack, cybersecurity, data, data-breach, defense, detection, exploit, firmware, fortinet, group, hacker, incident response, infrastructure, Internet, Intruder, lessons-learned, malware, mfa, monitoring, network, password, penetration-testing, phishing, regulation, russia, service, spear-phishing, supply-chain, threat, tool, ukraine, update, vulnerabilityRussia’s OT attack teams expand beyond Ukraine: The Russia-linked pair Kamacite and Electrum, which Dragos has tracked since the mid-2010s and is responsible for the 2015 and 2016 cyberattacks that took down parts of Ukraine’s power grid, expanded operations into NATO territory in 2025 after years focused almost exclusively on Ukrainian targets.Kamacite, which serves as…
-
State-affiliated hackers set up for critical OT attacks that operators may not detect
Tags: access, antivirus, attack, conference, control, credentials, cyberattack, cybersecurity, data, data-breach, defense, detection, exploit, firmware, fortinet, group, hacker, incident response, infrastructure, Internet, Intruder, lessons-learned, malware, mfa, monitoring, network, password, penetration-testing, phishing, regulation, russia, service, spear-phishing, supply-chain, threat, tool, ukraine, update, vulnerabilityRussia’s OT attack teams expand beyond Ukraine: The Russia-linked pair Kamacite and Electrum, which Dragos has tracked since the mid-2010s and is responsible for the 2015 and 2016 cyberattacks that took down parts of Ukraine’s power grid, expanded operations into NATO territory in 2025 after years focused almost exclusively on Ukrainian targets.Kamacite, which serves as…
-
Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries
The threat actor behind the recently disclosed artificial intelligence (AI)-assisted campaign targeting Fortinet FortiGate appliances leveraged an open-source, AI-native security testing platform called CyberStrikeAI to execute the attacks.The new findings come from Team Cymru, which detected its use following an analysis of the IP address (“212.11.64[.]250”) that was used by the suspected First seen on…
-
Fortinet FortiGate Devices Targeted by CyberStrikeAI, Allowing Hackers to Bypass Security
Threat intelligence researchers at Team Cymru have uncovered an open-source AI-powered offensive security tool called CyberStrikeAI, actively used to target Fortinet FortiGate devices at scale, with its developer carrying suspected ties to China’s Ministry of State Security (MSS).”‹ CyberStrikeAI is an AI-native security testing platform written in Go, developed by a GitHub user named Ed1s0nZ.…
-
CyberStrikeAI tool adopted by hackers for AI-powered attacks
Researchers warn that a newly identified open-source AI security testing platform called CyberStrikeAI was used by the same threat actor behind a recent campaign that breached hundreds of Fortinet FortiGate firewalls. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/cyberstrikeai-tool-adopted-by-hackers-for-ai-powered-attacks/
-
Russian group uses AI to exploit weakly-protected Fortinet firewalls, says Amazon
Tags: access, ai, api, attack, authentication, business, ciso, control, credentials, cybersecurity, data-breach, detection, exploit, firewall, fortinet, group, Internet, linkedin, malicious, mfa, monitoring, network, password, russia, software, threat, tool, vpn, vulnerabilityRecommendations: The Amazon report makes a number of recommendations to network admins with FortiGate devices. They include ensuring device management interfaces aren’t exposed to the internet, or, if they have to be, restricting access to known IP ranges and using a bastion host or out-of-band management network. As basic cybersecurity demands, all default and common…
-
AI Let ‘Unsophisticated’ Hacker Breach 600 Fortinet Firewalls, AWS Says, As AI Lowers ‘The Barrier’ For Threat Actors
Hackers use AI, GenAI and LLMs to breach Fortinet FortiGate firewalls as cybersecurity and threat actors leverage AI for cyber-attacks, AWS report finds. First seen on crn.com Jump to article: www.crn.com/news/security/2026/ai-let-unsophisticated-hacker-breach-600-fortinet-firewalls-aws-says-as-ai-lowers-the-barrier-for-threat-actors
-
Russian Cyber Threat Actor Uses GenAI to Compromise Fortinet Firewalls
A low-skilled Russian-speaking attacker has used GenAI tools to help deploy a successful attack workflow targeting FortiGate instances First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/russian-threat-actor-genai/
-
Von unerfahrenem Hacker: Hunderte Firewalls mithilfe von KI infiltriert
Innerhalb weniger Wochen hat ein unerfahrener Angreifer laut AWS dank KI-Nutzung weltweit über 600 Fortinet-Firewalls kompromittiert. First seen on golem.de Jump to article: www.golem.de/news/von-unerfahrenem-hacker-hunderte-firewalls-mithilfe-von-ki-infiltriert-2602-205719.html
-
Attacker Breached 600 FortiGate Appliances in AI-Assisted Campaign: Amazon
An single threat actor used AI tools to create and run a campaign that compromised more then 600 Fortinet FortiGate appliances around the world over five weeks, according to Amazon threat researchers, the latest example of how cybercriminals are using the technology in their attacks. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/02/attacker-breached-600-fortigate-appliances-in-ai-assisted-campaign-amazon/
-
Amazon: AI-assisted hacker breached 600 Fortinet firewalls in 5 weeks
Amazon is warning that a Russian-speaking hacker used multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls across 55 countries in five weeks. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/
-
Breach Roundup: CISA Flags OT Risks After Polish Grid Hack
Also: Spanish Hacker Granted Russian Asylum, Microsoft Patches Zero-Days. This week, a CISA warning, Nest footage in Nancy Guthrie case, Signal phishing. Spanish hacker, Russian asylum. Spanish ministry services offline. BYOVD ransomware. The Conduent breach hit Volvo. Microsoft patched zero-days. ZeroDayRAT targeted devices. The SmarterMail breach. Another Fortinet flaw. First seen on govinfosecurity.com Jump to…
-
Phishing campaign chains old Office flaw with fileless XWorm RAT to evade detection
Fileless .NET stage and a modular XWorm core: Beyond initial access, Fortinet observed a fileless .NET stage loaded directly into memory, followed by process hollowing into msbuild.exe, a legitimate Microsoft build tool capable of executing .NET code. The choice of msbuild.exe aligns with the malware’s runtime requirements while helping it blend into normal system activity.”A…
-
Phishing campaign chains old Office flaw with fileless XWorm RAT to evade detection
Fileless .NET stage and a modular XWorm core: Beyond initial access, Fortinet observed a fileless .NET stage loaded directly into memory, followed by process hollowing into msbuild.exe, a legitimate Microsoft build tool capable of executing .NET code. The choice of msbuild.exe aligns with the malware’s runtime requirements while helping it blend into normal system activity.”A…
-
Phishing campaign chains old Office flaw with fileless XWorm RAT to evade detection
Fileless .NET stage and a modular XWorm core: Beyond initial access, Fortinet observed a fileless .NET stage loaded directly into memory, followed by process hollowing into msbuild.exe, a legitimate Microsoft build tool capable of executing .NET code. The choice of msbuild.exe aligns with the malware’s runtime requirements while helping it blend into normal system activity.”A…
-
FortiOS Authentication Bypass Exposes VPN and SSO Deployments
Fortinet disclosed a FortiOS flaw that could allow LDAP authentication bypass for VPN and SSO access. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/fortios-authentication-bypass-exposes-vpn-and-sso-deployments/
-
FortiOS Authentication Bypass Exposes VPN and SSO Deployments
Fortinet disclosed a FortiOS flaw that could allow LDAP authentication bypass for VPN and SSO access. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/fortios-authentication-bypass-exposes-vpn-and-sso-deployments/
-
FortiSandbox XSS Vulnerability Allows Remote Command Execution
Fortinet disclosed an XSS flaw in FortiSandbox that could allow unauthenticated remote command execution. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/fortisandbox-xss-vulnerability-allows-remote-command-execution/
-
Fortinet Patches Critical SQLi Flaw Enabling Unauthenticated Code Execution
Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.The vulnerability, tracked as CVE-2026-21643, has a CVSS rating of 9.1 out of a maximum of 10.0.”An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in…
-
Critical Fortinet FortiClientEMS flaw allows remote code execution
Fortinet warns of a critical FortiClientEMS vulnerability that lets remote attackers run malicious code without logging in. Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1). The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An…
-
Critical Fortinet FortiClient EMS Vulnerability Allows Remote Code Execution
A critical security vulnerability has been discovered in Fortinet’s FortiClient EMS (Endpoint Management Server), potentially exposing organizations to remote code execution attacks. The flaw, tracked as CVE-2026-21643, was disclosed on February 6, 2026, and carries a severe CVSS score of 9.1 out of 10. FortiClient EMS Vulnerability The vulnerability stems from an SQL injection flaw…
-
Fortinet Is ‘Only Leader’ In Sovereign SASE Market: CEO Ken Xie
Fortinet is seeing a surge in customer demand for its SASE (secure access service edge) platform, driven by unique capabilities including a sovereign SASE version of the offering, according to Fortinet Co-founder and CEO Ken Xie. First seen on crn.com Jump to article: www.crn.com/news/security/2026/fortinet-is-only-leader-in-sovereign-sase-market-ceo-ken-xie