Live Threats
[ENGINEERING]Ransomware via fake RFP emails targeting engineering & architecture firms — CAD files and project databases encrypted|
[REAL ESTATE]Wire fraud at all-time high — buyers losing entire down payments to fake closing instructions, $446M lost in Q1 2026|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[MANUFACTURING]Manufacturing is the #1 ransomware target — OT and ICS production systems now in scope, 67% increase in 2026|
[CPA]Post-tax-season phishing blitz targeting CPA firms — IRS impersonation and client financial data theft surging|
[LEGAL]Law firms targeted with data extortion — privileged client documents stolen and threatened with publication|
[SMB ALERT]FTC launches data security enforcement wave targeting businesses under 100 employees — 23 investigations opened in Q1|
[ENGINEERING]Ransomware via fake RFP emails targeting engineering & architecture firms — CAD files and project databases encrypted|
[REAL ESTATE]Wire fraud at all-time high — buyers losing entire down payments to fake closing instructions, $446M lost in Q1 2026|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[MANUFACTURING]Manufacturing is the #1 ransomware target — OT and ICS production systems now in scope, 67% increase in 2026|
[CPA]Post-tax-season phishing blitz targeting CPA firms — IRS impersonation and client financial data theft surging|
[LEGAL]Law firms targeted with data extortion — privileged client documents stolen and threatened with publication|
[SMB ALERT]FTC launches data security enforcement wave targeting businesses under 100 employees — 23 investigations opened in Q1|
View All
Hackers Are Logging Into Fortinet Firewalls Right Now — No Password Required
Security News/Issue #17 — April 14 – April 20, 2026
BREACHCRITICALCVE-2026-1337

Hackers Are Logging Into Fortinet Firewalls Right Now — No Password Required

Published April 17, 2026
4 min read
Source: CISA / Fortinet PSIRT
SHARE:
Affected Systems
FortiOS 7.4.xFortiOS 7.5.xFortiOS 7.6.xFortiProxy 7.4.xFortiProxy 7.6.x
Executive Summary

CVE-2026-1337 lets attackers walk straight past authentication on Fortinet FortiOS and FortiProxy — no credentials, no user interaction, full admin access. Nation-state groups and ransomware crews are already scanning for exposed management interfaces. CISA made it mandatory to patch. If your firewall is Fortinet, stop reading and go patch it.

What Happened

Fortinet's Product Security Incident Response Team (PSIRT) disclosed a critical authentication bypass vulnerability tracked as CVE-2026-1337 affecting FortiOS and FortiProxy. The vulnerability exists in the web-based management interface of Palo Alto Networks Next-Generation Firewalls and Panorama management servers. An unauthenticated attacker with network access to the management interface can exploit this vulnerability to execute arbitrary code with root privileges on the affected device.

Exploitation Activity

Unit 42 has observed multiple threat actor groups exploiting this vulnerability, including a suspected nation-state group and at least two ransomware affiliate operations. Attackers are using the vulnerability to deploy persistent backdoors that survive reboots and firmware updates, create hidden administrator accounts, and use the compromised firewall as a launching point for attacks against internal network resources. In several confirmed incidents, attackers used the compromised firewall to intercept VPN credentials and gain access to internal systems.

Remediation Steps

Palo Alto Networks has released hotfixes for all affected PAN-OS versions. Apply the hotfix immediately. If you cannot patch immediately, restrict access to the management interface to trusted IP addresses using Palo Alto's management interface access restrictions. Do not expose the management interface to the internet under any circumstances. After patching, review your administrator account list, check for unauthorized configuration changes, and review your logs for signs of prior exploitation. Palo Alto has published an Indicators of Compromise (IoC) list that you can use to check your logs.

Key Takeaways & Action Items
  • Apply Fortinet's patch immediately — do not wait for your next maintenance window
  • Restrict FortiOS management interface access to trusted IP addresses only
  • Check your logs for signs of unauthorized admin access since March 2026
  • CISA mandatory remediation deadline applies to all federal agencies — SMBs should treat this with equal urgency
  • If you cannot patch immediately, disable the management interface from internet exposure
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #17: April 14 – April 20, 2026
PREVIOUS ARTICLE
Microsoft April 2026 Patch Tuesday: 147 CVEs, 3 Zero-Days Fixed
NEXT ARTICLE
AI-Powered Phishing Kits Now Bypassing MFA in Real Time — What SMBs Must Know
Talk with Us