AISEC > Security News > Ai Security > CyberStrikeAI Tool Used in FortiGate Firewall Attacks 2026
March 03, 2026 #ai-security Source: BleepingComputer 3 min read · 668 words

CyberStrikeAI tool adopted by hackers for AI-powered attacks

Інструмент CyberStrikeAI був використаний хакерами для AI-powered атак

Timeline: How We Got Here

The trouble started months ago. Not dramatically—no breach announcements, no ransomware notes. Just threat actors quietly weaponizing an open-source tool that was supposed to help defenders test their own systems. By March 2026, security researchers had connected the dots: CyberStrikeAI, an AI-powered security testing platform, had become a weapon. And it was working devastatingly well against Fortinet FortiGate firewalls.

The campaign didn't happen overnight. It evolved. But the scope when discovered? Hundreds of successfully compromised devices.

The Discovery

BleepingComputer reported that researchers identified active threat actors using CyberStrikeAI in real-world attack campaigns. This wasn't theoretical. This wasn't a proof-of-concept in a lab. These were actual victims—companies whose FortiGate firewalls had been breached using this tool.

The researchers traced the attacks back across multiple intrusions. Same methodology. Same tool. Same adversary.

What makes this particularly nasty is the obviousness of it in hindsight. CyberStrikeAI is open-source. It's designed for security testing. Anyone can download it. Anyone can study it. Anyone can figure out how to turn it into an attack platform. And apparently, someone did exactly that.

Technical Analysis

So how does this actually work?

CyberStrikeAI s artificial intelligence to identify security weaknesses. It's meant to help organizations find vulnerabilities before attackers do. The irony is suffocating. Threat actors simply pointed it at Fortinet FortiGate firewalls and let it do what it was built to do—find exploitable gaps.

The FortiGate line has seen multiple vulnerability disclosures over the years. Fortinet firewall vulnerabilities in 2023 grabbed attention. Then came 2024, and more patches were required. 2025 brought additional CVEs. Now in 2026, we're seeing active exploitation tied to those known weaknesses—and potentially undiscovered ones. The FortiGate 60F model was among the affected devices, though this campaign appears to have targeted FortiGate firewalls across multiple product lines.

Think about what that means. An attacker doesn't need to discover zero-days anymore. They just need an AI tool that efficiently maps existing vulnerabilities and chains them together. The FortiGate vulnerability scanner mentality—checking for known issues—becomes less effective when the threat actor has already automated that process at scale.

And then it got worse.

The researchers discovered that this wasn't just one attack. This was a pattern. A campaign. Hundreds of victims meant the tool was being used systematically, methodically, across multiple targets. Not spray-and-pray. Not opportunistic. Coordinated.

Damage Assessment

Hundreds of breached FortiGate firewalls. Let that number sink in.

These aren't peripheral devices. Firewalls are the gatekeepers. They sit between an organization's internal network and the outside world. Compromise a firewall and you've got a front-row seat to everything behind it.

The victims experienced real breach conditions. Data access. Lateral movement potential. The ability for attackers to establish persistent footholds in networks they had no right to access.

So why does this matter beyond the immediate victims? Because if hundreds were breached, there are probably more. There are probably organizations that haven't realized yet that their FortiGate firewall is compromised. There are probably attackers still inside networks right now, moving sideways through systems, exfiltrating data, preparing for the next phase of their campaign.

Mitigation

First, the obvious: patch everything. If you're running Fortinet FortiGate firewalls, prioritize updates immediately. Check the Fortinet security advisories for the specific FortiGate vulnerability patches applicable to your hardware and firmware versions.

But here's the uncomfortable truth: patching only works if you do it fast. And most organizations don't.

Second, assume compromise. Organizations running older firmware versions on FortiGate devices should assume breach conditions and conduct forensic analysis. Check firewall logs for suspicious activity. Look for unauthorized administrative access. Review VPN logs for unusual connections.

Third, monitor actively. Deploy network monitoring that flags when security tools behave like attack tools. CyberStrikeAI has a signature. It has patterns. Detection systems that understand those patterns can catch exploitation attempts in progress.

And finally: get your FortiGate firewall vulnerability assessment done now. Not next quarter. Not after the next board meeting. Today. Use a vulnerability scanner that understands both the FortiGate firewall vulnerability landscape from 2023 through 2026 and can identify which issues are actually exploitable in your environment.

The attackers already know what's broken. The question is whether you will too.

Read original article →

// FAQ

Are Fortinet FortiGate 60F firewalls currently vulnerable to this attack?

Yes, the FortiGate 60F model was among affected devices in this campaign. All FortiGate users should immediately check for the latest security patches and verify their firewall firmware is fully updated to close known vulnerabilities.

What Fortinet firewall vulnerabilities from 2024-2026 were exploited in these attacks?

While specific CVEs weren't detailed in initial reports, the attacks leveraged known FortiGate vulnerabilities across multiple years. Organizations should review all Fortinet security advisories from 2024-2026 and prioritize patching critical and high-severity FortiGate firewall vulnerabilities.

How can I check if my FortiGate firewall was compromised by this campaign?

Review firewall logs for unauthorized administrative access, unusual VPN connections, and suspicious outbound traffic patterns. Consider using a Fortinet firewall vulnerability scanner and conduct forensic analysis if your device was running older firmware during the attack window.

// RELATED

#ai-security Bug in Google's Gemini AI Panel Opens Door to Hijacking 2026-03-02 #ai-security Vulnerability Allowed Hijacking Chrome’s Gemini Live AI Assistant 2026-03-02 #ai-security Hackers Weaponize Claude Code in Mexican Government Cyberattack 2026-03-01

Concerned about your project's security? Run an automated pentest with AISEC — AI-powered scanner with expert verification. Go to dashboard →