600 Firewalls Compromised in One Wave. Yours Might Be One of Them.
AI-assisted credential stuffing against internet-exposed FortiGate admin panels. 600+ devices across 55 countries. Full configs extracted including VPN credentials. If your firewall management is internet-facing, read this now.
#The attackers didn't need a zero-day. They just tried passwords.
In May 2026, researchers observed a massive credential-stuffing campaign against internet-exposed Fortinet FortiGate management panels. Automated tooling, assisted by AI for efficiency and evasion, scanned the internet for exposed management ports, tried credentials against panels protected by single-factor authentication, and scripted the extraction of everything useful from the ones that let them in.
600+ devices compromised. 55+ countries. One wave.
What they extracted from each compromised device:
- Full device configuration files
- VPN credentials (every remote user's login)
- Admin credentials
- Network topology and firewall rules
- IPsec peer settings (VPN tunnel configurations to partner networks)
With a firewall's full configuration, the attacker has a complete map of your network. Every subnet. Every rule. Every exception. Every VPN tunnel to a partner or branch office. They know your network better than most of your employees do.
And with VPN credentials? They log in like any remote worker. The VPN is the front door, and they just got the keys.
#"But our firewall has a password."
Right. And that password is the only thing between the internet and root access to your perimeter security device. No MFA. No IP restrictions. No rate limiting. Just a username and password on a login page that's reachable from anywhere in the world.
The attackers used credential stuffing, not brute force. They're not trying random passwords. They're trying passwords from data breaches. If your firewall admin password is also used for any service that's ever been breached (and there are billions of leaked credentials available), it's in their list.
Add AI assistance and the operation gets even more efficient. The tooling adapts to rate limiting, rotates through source IPs, and prioritizes targets based on response signatures that indicate valuable configurations.
This isn't a sophisticated nation-state operation. This is industrial-scale automation pointed at the lowest-hanging fruit in network security: management interfaces with single-factor auth exposed to the internet.
#What to do.
1. Remove your firewall management interface from the internet. This is not optional. Management ports (443/HTTPS admin, 22/SSH, custom ports) should only be accessible from your internal network or through a VPN. Not from the internet. If you need remote management, use a jump host or VPN to reach it.
2. Enable MFA on admin and VPN portals. If your firewall supports it (FortiGate does), turn it on. If it doesn't support MFA, that's a reason to consider upgrading to hardware that does.
3. Check your admin accounts right now. Log into your FortiGate (or whatever you run) and review the admin user list. Any accounts you don't recognize? Any accounts with default or common names (admin, administrator, firewall, test)? Remove or disable anything that shouldn't be there.
4. Review your device configuration for unauthorized changes. Compare your running config against your last known-good backup. Look for new VPN users, modified firewall rules, new admin accounts, or changed routing.
5. Check if your device is internet-exposed. Search your public IP on Shodan or Censys. If your firewall management port appears, the attackers can find it too. And they already have.
6. Rotate VPN credentials for all users. If your management interface was exposed with single-factor auth, assume the worst. Change every VPN user's password. Force MFA enrollment. Don't wait for evidence of compromise. The evidence might be the attacker using your VPN right now.
7. Subscribe to GreyNoise or CISA alerts for your device vendor. When mass scanning campaigns target your hardware, you need to know immediately, not after 600+ devices are already compromised.
#This was preventable. All of it.
Every single one of those 600+ compromised firewalls had the same two problems: the management interface was internet-facing, and it was protected by a password alone.
MFA and network restrictions. That's it. Two controls that would have made this entire campaign fail. Two controls that cost nothing to implement. Two controls that most small businesses still haven't configured because "it's just the firewall" and "nobody told us to."
Consider yourself told.
#Further reading
- GreyNoise: Fortinet VPN Brute-Force Spike - campaign detection data
- Dark Reading Coverage - related Fortinet exploitation
- Fortinet PSIRT Advisories - check your firmware version
- Shodan - find out if your management interfaces are exposed
- CISA KEV Catalog - actively exploited Fortinet CVEs