AI‑Assisted FortiGate Breach: CyberStrikeAI Linked to 600+ Compromised Firewalls

CyberStrikeAI Used in Mass FortiGate Compromise (Jan–Feb 2026)

The opensource AI powered tool CyberStrikeAI is being leveraged in large scale campaigns targeting Fortinet FortiGate edge devices worldwide. Between January 20 and February 26, 2026, analysts observed 21 unique attacker-controlled servers running CyberStrikeAI, indicating rapid adoption among threat actors.

The activity is tied to a broader campaign in which attackers compromised over 600 FortiGate firewalls across 55 countries, using AI-assisted tooling to automate reconnaissance and credential harvesting.

What is CyberStrikeAI?

• CyberStrikeAI is an open-source, AI-driven offensive security framework written in Go that unifies over 100 security tools like penetration testing and exploitation through a dynamic orchestration layer.
• The platform automates multi-stage attack paths — from high-speed reconnaissance (Nmap, Masscan) to exploitation, credential harvesting, and post-compromise operations.
• A unified control panel abstracts operational complexity, allowing even minimally skilled operators to execute coordinated, large-scale security campaigns.

Indicators and Infrastructure: Servers Running CyberStrikeAI

Threat intelligence researchers linked several attacker servers to the FortiGate campaign. Key findings include:

• Amazon CTI linked a command-and-control server at 212.11.64[.]250 to attacks compromising 600+ FortiGate devices globally.
• Team Cymru confirmed the server ran a CyberStrikeAI service banner on port 8080 with direct NetFlow communication to FortiGate appliances.
• Tool deployments rapidly increased in early 2026, with most servers located in China, Singapore, and Hong Kong.

Who Built CyberStrikeAI? Developer ‘Ed1s0nZ’ and Reported Affiliation Signals

• CyberStrikeAI was developed by GitHub user “Ed1s0nZ”, who has published several exploitation focused tools including ransomware prototypes and privilege escalation frameworks.
• Past contributions to China linked cybersecurity programs raise concerns about state aligned interest in AI powered exploitation tooling.

How FortiGate Devices Were Compromised (No Zero‑Days): Exposed Admin + Weak Credentials

• Campaign exploited exposed management ports and weak single factor credentials, not new vulnerabilities.
• AI tools automated brute force attempts, configuration extraction, and lateral movement planning.

What This Means for Organizations Using FortiGate (Copycat and Scaling Risk)

The rapid adoption of CyberStrikeAI demonstrates how AI native offensive platforms are lowering the skill barrier for largescale infrastructure attacks. Organizations using FortiGate appliances face elevated risks of credential theft, device takeover, and cross network pivoting.
With 600+ impacted devices across 55 countries, even enterprises outside the initial targeting regions may experience copycat attacks, automated scanning pressure, and credential stuffing attempts as tooling becomes widespread.

FortiGate Hardening Steps Against AI‑Scaled Credential Attacks

• Immediately audit FortiGate appliances for internet exposed management interfaces and restrict access.
• Enforce multifactor authentication on all administrative and VPN portals.
• Review logs for traffic associated with port 8080 and IP 11.64[.]250.
• Monitor for unusual NetFlow patterns or automated scanning behavior.
• Harden backup and HA configurations to prevent credential based lateral movement.
• Track GitHub updates related to CyberStrikeAI and associated tools published by Ed1s0nZ.