An AI-Powered Attacker Just Breached 600+ FortiGate Firewalls Using Automated Exploit Chains
Security researchers trace a mass exploitation campaign against Fortinet firewalls to an attacker using large language models to automate vulnerability discovery and exploit generation.
When AI Attacks Infrastructure
The cybersecurity industry has been warning about AI-augmented attacks for years. Now it's happening at scale. Researchers at Mandiant have published a detailed analysis of a threat actor they're calling "VoltForge" — an operation that used large language models to automate the discovery, testing, and deployment of exploits against more than 600 Fortinet FortiGate firewalls worldwide.
The campaign exploited a chain of three vulnerabilities in FortiOS, including one zero-day that Fortinet patched in an emergency update on March 5. What makes VoltForge different from traditional mass exploitation is the speed and sophistication of its attack pipeline: the threat actor used AI models to analyze firmware binaries, identify potential memory corruption bugs, generate proof-of-concept exploits, and then weaponize them for deployment — all within a timeframe that suggests significant automation.
How the Attack Worked
VoltForge's pipeline followed a clear pattern. First, AI-assisted static analysis identified candidate vulnerabilities in FortiOS firmware images downloaded from public repositories. Next, the attacker used LLM-generated fuzzing harnesses to confirm exploitability. Finally, working exploits were packaged with persistence mechanisms and deployed through automated scanning infrastructure.
The compromised firewalls were primarily used for data exfiltration and as pivot points for deeper network access. Mandiant found evidence of credential harvesting, configuration theft, and VPN tunnel hijacking across affected organizations, which span healthcare, manufacturing, and financial services sectors.
The Uncomfortable Takeaway
VoltForge represents a step change in offensive capability. Traditionally, mass exploitation campaigns relied on known vulnerabilities with publicly available exploits. VoltForge demonstrates that AI tools can compress the timeline from vulnerability discovery to mass exploitation from weeks or months to days.
Fortinet has released patches for all three exploited vulnerabilities and published indicators of compromise. Organizations running FortiGate appliances should update immediately and review logs for signs of unauthorized access dating back to mid-February.
Sources: Mandiant Blog (March 6, 2026), BleepingComputer (March 6, 2026), The Record (March 6, 2026)