Fortinet Firewall Hack Hits Major Companies Worldwide

Widespread compromise of Fortinet firewalls impacts organisations globally

In a major cybersecurity incident, tens of thousands of Fortinet firewalls used by leading companies across the globe have allegedly been hacked by cybercriminals. This attack exposes critical infrastructure and sensitive data, raising urgent concerns for organisations relying on Fortinet products for network defence.

How the Fortinet Firewall Breach Happened

The reported breach centres on a large-scale campaign by threat actors targeting Fortinet firewalls. Security researchers revealed that attackers gained access to tens of thousands of devices, exploiting vulnerabilities to compromise the firewalls and, by extension, the networks they were designed to protect.

The initial reports surfaced in early June 2024, with evidence suggesting that the campaign had been ongoing for several weeks before discovery. Attackers are believed to have exploited a known vulnerability in Fortinet firmware that enabled remote code execution. This allowed them to bypass authentication mechanisms and gain administrative access to the firewalls.

The affected products are primarily FortiGate firewalls, widely deployed by enterprises for perimeter security and VPN access. While specific firmware versions have not been officially confirmed in public reporting, past critical vulnerabilities in FortiOS (such as CVE-2023-27997) are suspected to be the vector, given their known exploitation in the wild. Organisations running unpatched or outdated versions are likely the main targets.

Breach Timeline and Attack Tactics

The campaign’s timeline began unfolding in late May 2024, with security analysts observing unusual activity in VPN access logs and firewall configurations. By early June, threat intelligence firms had traced coordinated efforts to scan for and exploit vulnerable Fortinet devices worldwide.

  • Late May 2024: Initial suspicious access attempts detected on exposed Fortinet firewalls.
  • Early June 2024: Security researchers confirm large-scale compromise, with tens of thousands of devices affected.
  • 9 June 2024: Public reporting and advisories urge immediate action from organisations using FortiGate products.

Attackers are believed to have automated the process of identifying and exploiting vulnerable firewalls. Once inside, they established persistence by creating new administrative accounts and backdoor access methods. In some cases, access to VPN credentials and configuration files was also obtained, allowing further lateral movement into corporate networks.

Who Is Affected by the Fortinet Firewall Compromise?

The impact of this breach is global and affects organisations of all sizes that use Fortinet firewalls. Major enterprises, government agencies and managed service providers are among those at risk, with devices deployed in critical sectors such as finance, healthcare and manufacturing.

Given the scale of Fortinet’s market presence, the number of affected entities could reach into the tens of thousands. Attackers targeting perimeter security devices like firewalls can potentially access sensitive data, intercept communications or disable security controls. The exposure of VPN credentials is particularly concerning, as it could allow unauthorised remote access to internal systems even after the initial firewall vulnerability is patched.

Ongoing analysis suggests that the attackers are actively exfiltrating data and maintaining access to compromised environments. Security experts have confirmed that exploitation is not merely theoretical: there is concrete evidence of breaches and persistent threats within affected networks.

Why This Fortinet Firewall Attack Matters

This event underscores the high risk associated with perimeter device vulnerabilities. Firewalls are critical trust anchors in network architecture. Compromising these devices offers attackers privileged access, visibility and control across entire organisations.

For businesses, the breach highlights the importance of timely patch management, vigilant monitoring and robust multi-factor authentication for all remote access points. The exposure of VPN credentials in this incident means that even organisations who patch late may remain at risk if credentials are not rotated and access logs not thoroughly reviewed.

Immediate Mitigation Steps for Affected Organisations

  • Patch all Fortinet firewalls promptly to address known vulnerabilities.
  • Review VPN access logs for unusual or unauthorised activity since late May 2024.
  • Rotate administrative and VPN credentials, especially if compromise is suspected.
  • Enforce multi-factor authentication for all remote access, if not already implemented.
  • Check for signs of persistent compromise, such as unknown accounts or altered configurations.

Conclusion: Lessons from the Fortinet Breach

The Fortinet firewall hack demonstrates how vulnerabilities in core security infrastructure can be rapidly weaponised by cybercriminals. Organisations must act quickly to patch affected devices, review for signs of compromise and strengthen access controls to limit future risk.

As this campaign is ongoing, continued vigilance and prompt incident response will be essential to prevent further breaches and data loss. Enterprises using FortiGate firewalls should work closely with their IT and security teams to ensure that all recommended actions are implemented without delay.

Originally reported by Unknown.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins
Category
Cyber Attacks
Published
Jul 4 - 2026
Post Tags
Cypro firewall showing robust network security
Secure your business.
Elevate your security, accelerate your growth. We take care of cyber security for high-growth companies, at every stage of their journey.
Get in touch
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call