AI-Driven FortiGate Attacks: When Threat Actors Use Claude

Security teams are now seeing threat actors pair AI research tools with operational access to Fortinet FortiGate appliances. Amazon Threat Intelligence reported a Russian-speaking actor leveraging models such as Claude and other AI services to speed reconnaissance, attack validation, and exploit workflows.

The abuse pattern is familiar: once attackers identify exposed FortiGate management interfaces, they use automation to enumerate firmware, validate known vulnerabilities, and compile payloads quickly. In this campaign, more than 600 Fortinet firewalls were impacted in a single month, underscoring how AI can amplify even unsophisticated actors.

What makes this campaign different

AI tools are not the vulnerability. The shift is in how low-skill operators can now stitch together reconnaissance, exploit crafting, and lateral access faster than before. The threat actor used generative assistants to:

• automatically scan FortiGate endpoints for exposed administrative ports;
• identify vulnerable FortiOS versions and risky configuration settings;
• generate targeted login or exploitation sequences;
• accelerate persistence and command-and-control setup once access was gained.

Why FortiGate appliances are attractive

Fortinet FortiGate appliances often sit at the edge of a network and expose high-value management planes. Unpatched or internet-facing devices can quickly become a staging ground for broader intrusion, data exfiltration, or network disruption.

Immediate defender actions

• Patch FortiOS immediately. Confirm that all FortiGate devices are running the latest recommended firmware and configuration hardening guides.
• Restrict administrative access. Block remote management interfaces from the public internet and limit access to trusted VPN or jump hosts.
• Enable MFA and strong authentication. FortiGate management and CLI access should require multifactor protection wherever possible.
• Audit exposed assets continuously. Use external scanning and internal asset inventories to detect exposed Fortinet firewalls before attackers do.
• Monitor for anomalous access. Watch for unusual login patterns, failed authentication bursts, and unexpected configuration changes.

Beyond FortiGate: AI-assisted threat operations

This incident is a warning that adversaries are treating AI as a force multiplier. Attackers can now generate exploit sequences, analyze output from security tools, and accelerate discovery with fewer specialized skills. Defenders must respond with stronger segmentation, automation, and threat detection tuned for AI-enabled playbooks.

For enterprise security teams, the practical takeaway is clear: secure Fortinet perimeter appliances as a priority, and assume that exposed management interfaces will be targeted by increasingly automated attacks.