Between January 11 and February 18, 2026, more than 600 internet-facing FortiGate appliances across over 55 countries were compromised—not through zero-day exploitation, but due to weak or reused credentials, exposed administrative interfaces, and the absence of multi-factor authentication. Automation and AI-assisted scripting significantly amplified the impact, enabling large-scale extraction and parsing of firewall configuration files containing administrative accounts, SSL-VPN credentials, IPsec keys, and detailed internal network topology information.
Credential reuse and insufficient privilege restrictions escalated exposure in multiple cases, allowing harvested credentials to be leveraged against Active Directory environments. An additional attack surface was identified in unpatched Veeam Backup & Replication instances and legacy FortiOS vulnerabilities. The campaign highlights a critical reality: enterprise risk is increasingly driven not by advanced malware, but by systemic identity management failures and poorly secured management-plane interfaces.
The activity involved systematic internet-wide scanning of FortiGate administrative interfaces exposed on ports 443, 8443, 10443, and 4443. Appliances protected only by single-factor authentication and weak or reused credentials were targeted. Access was achieved through credential-based authentication and exploitation of known vulnerabilities, including legacy FortiOS issues such as CVE-2019-7192, without reliance on zero-day techniques.
Upon successful authentication, threat actors extracted full device configuration files. These files contained firewall rulesets, IPsec VPN peer configurations, administrative account details, SSL-VPN credentials (often recoverable in plaintext or decryptable form), and comprehensive internal network topology data. Automation and AI-assisted scripting were used to rapidly parse, decrypt, and analyze configuration files at scale, significantly accelerating credential harvesting and environment mapping.
Post-access activity demonstrated how exposed perimeter management planes can cascade into broader domain-level compromise. Harvested credentials were tested for reuse within Windows environments, enabling lateral movement via pass-the-hash, pass-the-ticket, and NTLM relay techniques. In multiple cases, DCSync operations were executed against domain controllers to extract NTLM password databases, indicating excessive replication privileges and insufficient monitoring (e.g., Event ID 4662). Backup infrastructure was also assessed for exposure, particularly unpatched or misconfigured instances of Veeam Backup & Replication (including CVE-2023-27532 and CVE-2024-40711), which could allow credential extraction or remote code execution, further compounding enterprise risk.
The exploitation did not depend on sophisticated tooling or zero-day vulnerabilities. Instead, it leveraged publicly known flaws in FortiOS and Veeam Backup & Replication, exposed management interfaces, and weak or reused credentials. Because configuration files frequently contained recoverable passwords and administrative access relied on single-factor authentication, attackers were able to automate access, extraction, and credential parsing using simple scripting techniques.
The widespread availability of open-source reconnaissance and post-exploitation frameworks further reduced complexity, enabling large-scale compromise with minimal customization and moderate technical expertise. AI-assisted scripting amplified efficiency by automating configuration analysis and accelerating credential correlation across environments.
This incident reinforces a critical lesson: enterprise compromise is often driven not by advanced malware, but by persistent misconfigurations, weak credential governance, and exposed administrative interfaces. Automation and AI-assisted scripting have further reduced the effort required to operationalize these weaknesses at scale.
To prevent similar widespread exploitation, organizations must immediately remove internet-facing management interfaces, enforce multi-factor authentication, rotate all credentials, patch known vulnerabilities, and actively monitor backup systems and Active Directory for anomalous activity. Management-plane security and identity governance must be treated as strategic security priorities rather than operational afterthoughts.
The impact is significant, as compromise of FortiGate appliances exposed SSL-VPN credentials, administrative accounts, and internal network topology, enabling direct authenticated access into enterprise environments. This facilitated domain-level breaches, lateral movement, data exfiltration, ransomware staging, and potential disruption of critical backup infrastructure.
The scale of exposure across more than 55 countries underscores the global operational and reputational risk to affected organizations. When perimeter security devices are compromised, they effectively become reconnaissance and pivot platforms for deeper enterprise penetration.
