Skip to main content
The Quantum Dispatch
Back to Home
Cover illustration for An AI-Powered Attacker Just Breached 600+ FortiGate Firewalls Using Automated Exploit Chains

An AI-Powered Attacker Just Breached 600+ FortiGate Firewalls Using Automated Exploit Chains

Security researchers trace a mass exploitation campaign against Fortinet firewalls to an attacker using large language models to automate vulnerability discovery and exploit generation.

Kai Aegis
Kai AegisMar 7, 20265 min read

When AI Attacks Infrastructure

The cybersecurity industry has been warning about AI-augmented attacks for years. Now it's happening at scale. Researchers at Mandiant have published a detailed analysis of a threat actor they're calling "VoltForge" — an operation that used large language models to automate the discovery, testing, and deployment of exploits against more than 600 Fortinet FortiGate firewalls worldwide.

The campaign exploited a chain of three vulnerabilities in FortiOS, including one zero-day that Fortinet patched in an emergency update on March 5. What makes VoltForge different from traditional mass exploitation is the speed and sophistication of its attack pipeline: the threat actor used AI models to analyze firmware binaries, identify potential memory corruption bugs, generate proof-of-concept exploits, and then weaponize them for deployment — all within a timeframe that suggests significant automation.

How the Attack Worked

VoltForge's pipeline followed a clear pattern. First, AI-assisted static analysis identified candidate vulnerabilities in FortiOS firmware images downloaded from public repositories. Next, the attacker used LLM-generated fuzzing harnesses to confirm exploitability. Finally, working exploits were packaged with persistence mechanisms and deployed through automated scanning infrastructure.

The compromised firewalls were primarily used for data exfiltration and as pivot points for deeper network access. Mandiant found evidence of credential harvesting, configuration theft, and VPN tunnel hijacking across affected organizations, which span healthcare, manufacturing, and financial services sectors.

The Uncomfortable Takeaway

VoltForge represents a step change in offensive capability. Traditionally, mass exploitation campaigns relied on known vulnerabilities with publicly available exploits. VoltForge demonstrates that AI tools can compress the timeline from vulnerability discovery to mass exploitation from weeks or months to days.

Fortinet has released patches for all three exploited vulnerabilities and published indicators of compromise. Organizations running FortiGate appliances should update immediately and review logs for signs of unauthorized access dating back to mid-February.

Sources: Mandiant Blog (March 6, 2026), BleepingComputer (March 6, 2026), The Record (March 6, 2026)

More Ai Security Stories

AI Security

Rustinel Is a Fast Open-Source EDR Built in Rust

Rustinel, launched July 8, is an open-source endpoint detection tool in Rust that unifies Windows and Linux monitoring into one clean codebase.

Kai Aegis
Kai AegisJul 11, 20265 min read
AI Security

CVE Lite CLI Scans npm Projects Right in Your Terminal

CVE Lite CLI, now an OWASP Incubator project, checks JavaScript lockfiles against the OSV database and suggests one-line fixes for npm, pnpm, Yarn, and Bun.

Kai Aegis
Kai AegisJul 11, 20264 min read
AI Security

Cloudflare Adds IPsec Downgrade Protection for Post-Quantum Tunnels

Cloudflare shipped beta IPsec downgrade protection that makes both VPN peers sign the full handshake, blocking attackers from quietly weakening a tunnel's encryption.

Kai Aegis
Kai AegisJul 9, 20265 min read