CyberStrikeAI: Open-Source AI Tool Weaponized in FortiGate Attacks Across 55 Countries

The cybersecurity community was jolted this week when Team Cymru published research linking a massive campaign against Fortinet FortiGate firewalls to CyberStrikeAI — an open-source, AI-native security testing platform now being abused at scale by threat actors across 55 countries.

What Happened

In late January 2026, security researchers observed a coordinated wave of exploitation attempts targeting FortiGate firewalls. What initially appeared to be a standard vulnerability exploitation campaign turned out to be far more sophisticated: the attackers were leveraging CyberStrikeAI, an open-source AI-assisted security testing framework, to automate vulnerability scanning, exploit selection, and payload delivery.

Team Cymru's threat intelligence team identified the tool's distinct network fingerprint across attack infrastructure spanning 55 countries, making this one of the broadest AI-assisted attack campaigns documented to date.

How CyberStrikeAI Works in the Attack Chain

CyberStrikeAI is designed as a legitimate penetration testing tool that uses AI models to:

1. Automated Reconnaissance — Scans target networks and identifies running services, firmware versions, and exposed management interfaces
2. Vulnerability Matching — Uses AI to correlate discovered services against known CVE databases, prioritizing exploitable flaws
3. Exploit Selection & Adaptation — Automatically selects and modifies exploit payloads based on target configuration
4. Post-Exploitation Orchestration — Chains multiple techniques for persistence and lateral movement

In this campaign, the attackers pointed CyberStrikeAI at FortiGate appliances exposed to the internet. The platform's AI engine systematically tested known vulnerabilities including authentication bypass flaws and remote code execution bugs, adjusting its approach based on the target's firmware version and patch level.

Scale and Impact

The numbers are staggering:

• 55 countries with confirmed attack activity
• Thousands of FortiGate appliances targeted in automated scanning waves
• Multiple CVEs exploited, including recent authentication bypass vulnerabilities
• Administrative access achieved on unpatched devices, enabling configuration theft, VPN credential extraction, and backdoor deployment

The geographic spread — spanning North America, Europe, Asia-Pacific, and the Middle East — suggests an organized campaign rather than opportunistic scanning. Team Cymru noted that the attack infrastructure used rotating proxies and distributed scanning nodes to evade IP-based blocking.

The AI-Powered Attack Paradigm Shift

This incident marks a significant escalation in how AI tools are being weaponized. Unlike traditional automated scanning tools (like Nmap or Masscan), CyberStrikeAI introduces:

• Adaptive Decision-Making: The tool adjusts its attack strategy based on response analysis, mimicking how a skilled penetration tester would operate
• Evasion Intelligence: AI-driven payload modification helps bypass signature-based detection
• Speed at Scale: What would take a human pentester days to accomplish across a handful of targets is executed across thousands in hours

Security researcher Kevin Beaumont commented that this represents "the crossing of a line we've been warning about — offensive AI tools reaching commodity status."

Defensive Recommendations

Immediate Actions

• Patch FortiGate appliances to the latest firmware version immediately
• Audit management interfaces — disable internet-facing admin access (HTTPS, SSH) or restrict to trusted IPs
• Check for compromise indicators: Look for unauthorized admin accounts, modified firewall policies, and unexpected VPN tunnel configurations
• Review FortiGuard logs for scanning patterns characteristic of AI-driven reconnaissance (rapid sequential CVE probing)

Strategic Defenses

• Implement virtual patching via IPS/WAF rules while scheduling firmware updates
• Deploy network segmentation to limit blast radius if a perimeter device is compromised
• Monitor for anomalous admin behavior — AI-driven attacks often create admin sessions at unusual hours
• Threat hunt for FortiGate IOCs published by Team Cymru and Fortinet PSIRT

Detection Opportunities

Monitor for these behavioral indicators:

# Rapid CVE probing pattern (multiple exploit attempts within seconds)
alert http any any -> $FORTIGATE_MGMT any (msg:"Possible AI-driven FortiGate exploit scan"; flow:to_server; threshold:type both,track by_src,count 10,seconds 30; sid:2026030401;)

# Unauthorized admin session creation
FortiGate log: type=event subtype=system level=warning action=login user=admin status=success srcip=<unexpected_IP>

The Bigger Picture

This campaign sits at the intersection of two accelerating trends: the commoditization of AI-powered offensive tools and the persistent exposure of network perimeter devices. Cloudflare's latest threat report, also released this week, revealed the company blocks 230 billion threats daily — underscoring how automated the attack ecosystem has become.

The weaponization of CyberStrikeAI is a wake-up call: the barrier to entry for sophisticated, adaptive attacks has dropped dramatically. Organizations can no longer rely on patch cadence alone — they need continuous monitoring, behavioral detection, and the assumption that perimeter devices will be targeted with intelligence.

---

Need help assessing your exposure? Apply to our Beta Tester Program at theinsider-x.com — limited slots available.