What happened
On June 18, 2026, CISA and researchers disclosed that 86,644 Fortinet devices had been compromised with working credentials exposed online. The threat actors built a verified database of credentials for major enterprises and government agencies, likely gathered through prior breaches or configuration file exfiltration.
Why it matters
Compromised firewalls are the entry point to internal networks hosting AI/ML infrastructure. Once inside the perimeter, attackers can compromise model servers, vector databases, and agentic systems. This is a widespread campaign affecting mission-critical infrastructure.
Attack vector
Attackers systematically mass-scanned the internet for Fortinet remote login endpoints, then sprayed a curated database of leaked FortiGate passwords against discovered devices. Successful credential compromise gave attackers persistent access to enterprise perimeter networks, enabling lateral movement to internal AI/ML infrastructure.
Affected systems
Fortinet FortiGate firewalls and SSL VPN gateways; no specific CVE but exploits credential reuse and weak password policies
Mitigation
Immediate actions: Change all FortiGate admin credentials to unique, strong passwords. Enable MFA on all remote access. Audit logs for suspicious login activity. CISA alerts at: https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposure