Home / Insights / FortiGate Zero-Day March 2026
Breaking News

Fortinet FortiGate Zero-Day: Mass Exploitation Across Asia-Pacific Networks

Published 18 March 2026 8 min read CRITICAL — PATCH NOW

A critical authentication bypass vulnerability in Fortinet's FortiGate SSL-VPN product line is being actively exploited at scale across Asia-Pacific, with the Australian Signals Directorate (ASD) confirming Australian organisations among the victims. CVE-2026-0847 carries a CVSS score of 9.8 and requires no user interaction or prior authentication to exploit. Organisations running affected FortiGate firmware must patch immediately.

FortiGate zero-day exploitation across Asia-Pacific
Urgent Action Required: If your organisation uses Fortinet FortiGate SSL-VPN, treat this as a P1 incident. Check the affected versions list below and apply patches immediately. If you cannot patch immediately, disable SSL-VPN access until a maintenance window permits patching.

Vulnerability Details

CVE-2026-0847 is an authentication bypass vulnerability in the FortiGate SSL-VPN web management interface. The vulnerability exists in the way FortiOS handles specially crafted HTTP requests to the authentication endpoint. An unauthenticated attacker can send a malformed request that causes the authentication check to be bypassed entirely, granting the attacker the equivalent of administrative access to the SSL-VPN management plane.

Affected Versions

  • FortiOS 7.4.0 through 7.4.3 (fixed in 7.4.4)
  • FortiOS 7.2.0 through 7.2.7 (fixed in 7.2.8)
  • FortiOS 7.0.0 through 7.0.14 (fixed in 7.0.15)
  • FortiOS 6.4.0 through 6.4.15 (no fix available — upgrade required)
  • FortiProxy 7.4.0 through 7.4.2 (fixed in 7.4.3)
  • FortiProxy 7.2.0 through 7.2.9 (fixed in 7.2.10)

CVSS Score Breakdown

  • CVSS Base Score: 9.8 (Critical)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality / Integrity / Availability: High / High / High

Active Exploitation: What We Know

Fortinet first became aware of in-the-wild exploitation on 12 March 2026. By the time Fortinet published a security advisory on 15 March, mass exploitation was already underway. Within 72 hours of the advisory's publication, multiple threat intelligence firms reported automated scanning and exploitation of vulnerable FortiGate devices across the internet.

Key exploitation observations:

  • Automated scanning for vulnerable FortiGate endpoints began within 6 hours of Fortinet's advisory publication
  • At least four distinct threat actor groups have been observed exploiting the vulnerability, including financially motivated ransomware affiliates and a Chinese state-sponsored APT group
  • Post-exploitation activity has included credential harvesting, VPN configuration extraction (exposing internal network topology), and deployment of persistent backdoors
  • Australian victims confirmed by ASD include organisations in the financial services, healthcare, and manufacturing sectors
  • The vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalogue, triggering mandatory remediation timelines for US federal agencies

Attack Chain Analysis

The typical attack chain observed in exploitation incidents follows a consistent pattern:

  1. Discovery: Automated scanners identify FortiGate devices with SSL-VPN enabled by probing for known URI patterns in the SSL-VPN web interface
  2. Authentication Bypass: A crafted HTTP request exploiting CVE-2026-0847 is sent to the FortiGate authentication endpoint, bypassing credential verification
  3. Configuration Extraction: Attackers extract VPN configuration, including user credentials (which may be stored in reversible format in some configurations), network topology, and routing information
  4. Persistent Access: Attackers create new local administrator accounts or install web shells in the FortiGate management interface to maintain persistent access even after patches are applied
  5. Lateral Movement: Using extracted credentials and network topology, attackers pivot to internal systems via the VPN tunnels

Indicators of Compromise

Organisations should review logs for the following indicators:

  • Unexpected authentication events in FortiGate logs, particularly successful authentication without corresponding valid credential usage
  • Access to the management interface from unusual source IP addresses or geographic locations
  • Creation of new local administrator accounts, particularly accounts with names that mimic legitimate system accounts
  • Unusual outbound connections from the FortiGate appliance to external IP addresses
  • Modifications to SSL-VPN configuration files or system configuration outside of change management windows
  • Evidence of configuration export (GET requests to /api/v2/cmdb/ from external IPs)

Remediation Steps

Immediate Actions (Within 24 Hours)

  1. Identify all FortiGate devices in your environment and confirm firmware versions
  2. If running an affected version with SSL-VPN enabled, disable SSL-VPN access immediately if patching within 24 hours is not feasible
  3. Review FortiGate authentication logs for evidence of exploitation
  4. Rotate all credentials that may have been accessible through VPN configurations
  5. Notify your managed security provider or the ASD if you have evidence of compromise

Patching (Within 72 Hours)

  1. Apply the fixed firmware version for your FortiGate model
  2. After patching, conduct a full configuration review to identify any unauthorised changes
  3. Review and rotate all local administrator account credentials
  4. Implement multi-factor authentication for all VPN access if not already in place

Post-Incident Review

  1. Consider whether your FortiGate management interfaces are exposed to the internet — they should only be accessible from trusted management networks
  2. Implement network-based anomaly detection capable of identifying unusual traffic patterns from VPN-connected devices
  3. Review your patch management process to understand why affected firmware was not patched in the window between Fortinet's advisory and mass exploitation

Context: Fortinet's Vulnerability History

This is not the first time Fortinet's SSL-VPN products have been subject to critical zero-day exploitation. CVE-2023-27997, CVE-2024-21762, and CVE-2025-1823 all preceded this latest vulnerability, all involved SSL-VPN, and all saw rapid in-the-wild exploitation. This pattern raises significant questions about the security maturity of Fortinet's SSL-VPN code base and should prompt organisations to evaluate whether their dependence on FortiGate SSL-VPN represents an acceptable risk profile.

For organisations willing to accept the migration complexity, this incident may provide the justification needed to evaluate ZTNA (Zero Trust Network Access) alternatives that eliminate the traditional VPN attack surface entirely.

CyberSec.au Assessment

The speed at which CVE-2026-0847 has been weaponised and the scale of the resulting exploitation campaign are unfortunately consistent with the established pattern for critical Fortinet SSL-VPN vulnerabilities. Organisations that have not yet established a process for emergency patching of network edge devices within 24-48 hours of a critical advisory are systematically at risk.

If your organisation cannot patch critical network infrastructure vulnerabilities within 48 hours of an advisory, that is the primary risk to address — not the specific vulnerability. The FortiGate exploitation pattern will repeat with the next network edge device vulnerability, and the next, and the next.

Affected by This Vulnerability?

If you need immediate assistance assessing your exposure or managing this incident, Australian organisations can contact the ASD's ACSC at 1300 CYBER1. For ongoing managed security support, get a free assessment from Australia's leading cybersecurity MSP.

Start Free Security Assessment
FortiGate CVE-2026-0847 Zero-Day SSL-VPN Fortinet APAC

Related Analysis