Fortinet Under Sustained Attack as Threat Actors Target Enterprise Access Infrastructure

Recent disclosures involving Fortinet reveal a broader campaign targeting enterprise access infrastructure. Threat actors are leveraging a combination of credential harvesting, exploitation of internet-facing appliances, and attacks against security infrastructure to establish and maintain access. The activity spans FortiGate firewalls, Fortinet SSL VPNs, and FortiSandbox appliances, highlighting how attackers are targeting multiple layers of the Fortinet ecosystem simultaneously.

Key Findings

• The FortiBleed operation exposed credentials linked to approximately 73,000 Fortinet VPN devices, including usernames, email addresses, passwords, and VPN endpoints.
• More than 1 billion authentication attempts were identified, indicating large-scale credential harvesting and password-spraying activity.
• Firewalls and VPN appliances were targeted using previously compromised credentials.
• Attackers are actively exploiting multiple FortiSandbox vulnerabilities, including CVE-2026-39813, which could facilitate unauthorized access and remote code execution.
• The combination of credential theft, active exploitation, and attacks against security appliances suggests adversaries are pursuing multiple access paths into the same environments.

Vulnerabilities

Indicators of Compromise (IOCs)

Authentication Activity

• High-volume failed login attempts against FortiGate SSL VPN portals.
• Login attempts from unusual geographic locations.
• Evidence of password spraying or credential-stuffing activity.
• Successful VPN logins immediately following multiple authentication failures.

Fortinet Infrastructure

• Unexpected administrator account creation.
• Unauthorized configuration changes or exports.
• Suspicious API requests targeting FortiSandbox JRPC endpoints.
• Unexplained modifications to security policies or malware analysis configurations.
• Evidence of persistence mechanisms or unauthorized file access on FortiGate devices.

Recommendations and Actions

1. Rotate all Fortinet VPN, administrative, and privileged credentials
2. Enforce MFA across remote-access and administrative services
3. Patch vulnerable FortiGate and FortiSandbox deployments immediately
4. Restrict or disable internet-facing management interfaces where possible
5. Audit privileged and dormant accounts
6. Monitor for suspicious administrative activity and configuration change
7. Investigate authentication anomalies associated with Fortinet assets

MITRE ATT&CK Mapping