AI Tools, Claude, and Fortinet FortiGate Attacks

Defenders are seeing new attack campaigns in which AI assistants like Claude are being used to automate reconnaissance, vulnerability validation, and exploitation against Fortinet FortiGate appliances.

Amazon Threat Intelligence has observed a Russian-speaking actor compromise more than 600 Fortinet firewalls in a single month, showing how AI can let less-experienced operators carry out high-impact campaigns.

Attack mechanics

These campaigns combine exposed FortiGate management planes with AI-assisted tooling to:

• scan for internet-facing FortiGate appliances and open admin ports;
• identify FortiOS versions and risky configuration settings;
• automate exploit validation and payload generation;
• move quickly from initial access to persistence and control.

Why FortiGate is a high-value target

FortiGate appliances often sit at the network edge and expose administrative interfaces. When they are reachable from untrusted networks, they become a prime target for lateral movement, data theft, and network disruption.

Recommended hardening

• Patch FortiGate devices. Apply the latest FortiOS updates and security hardening guidance.
• Limit remote management. Remove public access to FortiGate management and require VPN or jump host access.
• Enable MFA. Protect FortiGate admin sessions with multifactor authentication.
• Monitor exposure. Continuously discover FortiGate endpoints and detect unauthorized access attempts.
• Watch for anomalies. Alert on unexpected admin logins, configuration changes, or unusual traffic patterns.

Defender takeaway

This campaign is a reminder that AI is making attack operations more accessible. Security teams need better visibility, stricter perimeter controls, and faster response playbooks to keep Fortinet edge appliances secure.

Protect exposed FortiGate devices now and treat any internet-facing management plane as a high-risk asset.