Hackers Are Logging Into Fortinet Firewalls Right Now — No Password Required
CVE-2026-1337 lets attackers walk straight past authentication on Fortinet FortiOS and FortiProxy — no credentials, no user interaction, full admin access. Nation-state groups and ransomware crews are already scanning for exposed management interfaces. CISA made it mandatory to patch. If your firewall is Fortinet, stop reading and go patch it.
What Happened
Fortinet's Product Security Incident Response Team (PSIRT) disclosed a critical authentication bypass vulnerability tracked as CVE-2026-1337 affecting FortiOS and FortiProxy. The vulnerability exists in the administrative management interface and allows unauthenticated remote attackers to bypass authentication controls and gain full administrative access to affected devices. CISA confirmed active exploitation in the wild and added this CVE to its Known Exploited Vulnerabilities (KEV) catalog on April 15, 2026.
Who Is Affected
Organizations running FortiOS versions 7.4.x through 7.6.x and FortiProxy 7.4.x through 7.6.x are affected. This includes a large number of enterprise firewalls, SD-WAN appliances, and network security gateways deployed by businesses of all sizes. Fortinet is one of the most widely deployed network security vendors globally, making this vulnerability particularly impactful. If your organization uses Fortinet products for perimeter security, you should assume you are affected until you verify your version and patch status.
How Attackers Are Exploiting It
Threat intelligence from multiple sources indicates that nation-state affiliated threat actors and ransomware groups are actively scanning the internet for vulnerable Fortinet management interfaces. Once access is gained, attackers are deploying persistent backdoors, creating rogue administrator accounts, and using the compromised firewall as a pivot point to access internal network resources. In several confirmed incidents, attackers maintained access for weeks before detection. The exploitation does not require any user interaction — simply having the management interface reachable from the internet is sufficient for compromise.
Immediate Actions Required
Fortinet has released patches for all affected versions. You should update to FortiOS 7.4.5, 7.5.3, or 7.6.2 (or later) immediately. If patching cannot be done immediately, restrict access to the management interface to trusted IP addresses only using local-in policies. Disable internet-facing management access entirely if possible. Review your administrator account list for any accounts you did not create. Check authentication logs for access from unexpected IP addresses, particularly from foreign countries or known malicious IP ranges.
What Segler.Net Recommends
Our team is actively reaching out to clients who use Fortinet products to schedule emergency patching. If you are a Segler.Net managed services client, we are already reviewing your exposure. If you manage your own Fortinet infrastructure, contact us immediately for assistance. We can perform a rapid vulnerability assessment, apply the patch, and review your logs for signs of prior compromise. Do not delay — active exploitation means every hour of exposure increases your risk of a serious breach.
- Apply Fortinet's patch immediately — do not wait for your next maintenance window
- Restrict FortiOS management interface access to trusted IP ranges only
- Check your logs for signs of unauthorized admin access since March 2026
- CISA mandatory remediation deadline applies to all federal agencies — SMBs should treat this with equal urgency
- If you cannot patch immediately, disable the management interface from internet exposure
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.