FortiGate Firewalls Exploited in Automated Attacks to Steal Configuration Data

What happened

Researchers identified a wave of automated attacks targeting Fortinet FortiGate firewall devices beginning in January 2026, where threat actors gained unauthorized access, modified configurations, and exfiltrated sensitive firewall data. The attacks involved creating persistent generic accounts and stealing configuration files that contain critical network information such as VPN settings, authentication methods, and security rules. Stolen firewall configurations can provide attackers with insights into network architecture and security controls, potentially enabling further intrusions into enterprise environments. 

Who is affected

Organizations running Fortinet FortiGate firewall appliances exposed to the internet are affected, particularly those where attackers can access administrative interfaces or exploit configuration weaknesses. 

Why CISOs should care

Compromised firewall configurations can reveal internal network structures, authentication mechanisms, and security policies, which attackers can use to bypass defenses and expand access within enterprise networks. 

3 practical actions

1. Audit firewall accounts and configurations. Investigate for unauthorized user accounts or unexpected configuration changes on FortiGate devices. 
2. Restrict management interface exposure. Limit administrative access to trusted networks and disable unnecessary internet exposure. 
3. Monitor for configuration exfiltration attempts. Detect abnormal access or downloads of firewall configuration files. 

For more coverage of cybersecurity developments involving the company, explore our reporting under the Fortinet tag.