FortiGate Appliances Continue to Serve as Entry Points for Network Breaches
Cybersecurity researchers highlight a continuing campaign where threat actors abuse Fortinet FortiGate Next-Generation Firewalls as entry points to breach victim networks — exploiting exposed management interfaces despite months of warnings from security agencies.
Cybersecurity researchers continue to document campaigns targeting Fortinet FortiGate Next-Generation Firewalls as entry points for network compromise, highlighting that many organizations have failed to address the fundamental security gaps — exposed management interfaces and weak authentication — that enable these attacks despite months of warnings from Five Eyes intelligence agencies.
Persistent Vulnerability
The ongoing exploitation campaign builds on the CyberStrikeAI attacks disclosed in early March, which compromised over 600 FortiGate devices across 55 countries. Researchers report that the attack surface has not meaningfully shrunk: thousands of FortiGate management interfaces remain accessible from the public internet, and many use single-factor authentication that can be bypassed through credential stuffing or brute-force attacks. The gap between security agency warnings and organizational response remains troublingly wide.
Why Organizations Are Slow to Respond
Security analysts identify several factors behind the slow response: FortiGate management interfaces are sometimes intentionally exposed to enable remote administration by distributed IT teams, firewall configuration changes carry operational risk that makes organizations reluctant to modify access controls during business hours, and some organizations lack the visibility to even know whether their management interfaces are exposed. The result is a persistent vulnerability that adversaries continue to exploit weeks after public disclosure.
Recommended Actions
CISA and the Five Eyes agencies continue to recommend immediate restriction of management interface access to trusted networks only, implementation of multi-factor authentication for all administrative access, monitoring for indicators of compromise published in the February advisory, and forensic review of any FortiGate devices that may have been exposed during the exploitation window. Organizations that cannot restrict management interface access should implement additional monitoring and alerting for administrative login attempts from unexpected sources.
Related Articles
GitHub Expands Developer Platform with Actions Artifacts v5 and Copilot Extensions GA
GitHub has shipped Actions Artifacts v5 with immutable storage and artifact attestation for tamper-proof build outputs, alongside the general availability of Copilot Extensions that let third-party tools integrate directly into the Copilot chat experience. The platform also expanded GitHub Models with seven new providers.
Docker Engine 29.3 Ships with Native gRPC Support and BuildKit v0.28
Docker Engine 29.3.0 introduces native gRPC support on listening sockets, BuildKit v0.28.0, and a new bind-create-src option for flexible volume mounting. The release lowers the minimum API version to v1.40 for broader backward compatibility and fixes DNS configuration corruption during daemon reloads.
GitHub Adds Dependabot Pre-Commit Support and 28 New Secret Scanning Detectors
GitHub has shipped two major supply chain security features: Dependabot now parses .pre-commit-config.yaml files and opens PRs to update hook versions, while secret scanning gains 28 new detectors from 15 providers including Snowflake, Supabase, and Vercel. Push protection is now enabled by default for 39 secret types.