CyberStrikeAI: Open-Source AI Tool Targets Fortinet FortiGate Devices in Global Campaign
Researchers at Team Cymru have uncovered CyberStrikeAI, an open-source offensive security tool leveraging AI to target Fortinet FortiGate devices worldwide. Developed by GitHub user Ed1s0nZ, the Go-based platform integrates over 100 security tools, featuring an intelligent orchestration engine, role-based testing, and a dashboard for full attack lifecycle management.
First published on November 8, 2025, the tool gained traction in early 2026. Between January 20 and February 26, 2026, Team Cymru detected 21 unique IP addresses running CyberStrikeAI, signaling a sharp rise in threat actor adoption. Amazon Threat Intelligence identified a key server (212.11.64[.]250) linked to a campaign compromising over 600 FortiGate devices across 55 countries from January 11 to February 18. Team Cymru’s Scout platform confirmed the tool’s service banner on port 8080, with NetFlow data showing direct communications to FortiGate appliances. The infrastructure last executed the tool on January 30, 2026.
Ed1s0nZ’s ties to Chinese state actors raise concerns. On December 19, 2025, they submitted CyberStrikeAI to the Knownsec 404 Starlink Project, linked to China’s Ministry of State Security (MSS) and the People’s Liberation Army (PLA). On January 5, 2026, they received a CNNVD Level 2 Contribution Award overseen by the MSS before deleting the post, likely to obscure affiliations. Additional repositories, such as PrivHunterAI (privilege escalation detection) and InfiltrateX (scanning), further indicate a focus on exploitation.
Attackers used CyberStrikeAI’s AI to generate step-by-step attack plans, command sequences, and methods, exploiting exposed management ports and weak single-factor authentication to steal credentials. No zero-days were required most compromised servers were hosted in China, Singapore, and Hong Kong, aligning with a Chinese developer base.
Team Cymru warns that accessible AI-driven tools like CyberStrikeAI will accelerate adoption by Chinese APT groups, enabling automated, large-scale exploits against vulnerable network edges. The blurring line between offensive tools and legitimate security testing heightens risks for global networks.
Source: https://cyberpress.org/hackers-use-cyberstrikeai-tool-to-breach-fortinet-fortigate-devices/
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "FOR1772540844",
"linkid": "fortinet",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology, Cybersecurity',
'location': '55 countries (primarily China, Singapore, '
'Hong Kong)',
'name': 'Fortinet FortiGate devices',
'size': 'Over 600 devices',
'type': 'Network security appliances'}],
'attack_vector': 'Exposed management ports, weak single-factor authentication',
'data_breach': {'sensitivity_of_data': 'High (credentials, network access)',
'type_of_data_compromised': 'Credentials, network '
'configuration data'},
'date_detected': '2026-01-20',
'date_publicly_disclosed': '2026-02-26',
'description': 'Researchers at Team Cymru uncovered CyberStrikeAI, an '
'open-source offensive security tool leveraging AI to target '
'Fortinet FortiGate devices worldwide. The tool integrates '
'over 100 security tools, featuring an intelligent '
'orchestration engine, role-based testing, and a dashboard for '
'full attack lifecycle management. It was used to compromise '
'over 600 FortiGate devices across 55 countries between '
'January 11 and February 18, 2026.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'affected entities',
'data_compromised': 'Credentials, sensitive network data',
'identity_theft_risk': 'High (credentials stolen)',
'operational_impact': 'Compromised network security, unauthorized '
'access',
'systems_affected': 'Over 600 Fortinet FortiGate devices'},
'initial_access_broker': {'entry_point': 'Exposed management ports, weak '
'authentication',
'high_value_targets': 'Fortinet FortiGate devices'},
'investigation_status': 'Ongoing',
'lessons_learned': 'AI-driven offensive tools lower the barrier for '
'large-scale cyber attacks, increasing risks for '
'vulnerable network edges. The blurring line between '
'offensive tools and legitimate security testing heightens '
'global cybersecurity threats.',
'motivation': 'State-sponsored espionage, large-scale exploitation',
'post_incident_analysis': {'corrective_actions': ['Implement multi-factor '
'authentication for '
'management interfaces',
'Restrict access to network '
'edges',
'Enhance monitoring for '
'AI-driven attack patterns'],
'root_causes': ['Exposed management ports',
'Weak single-factor authentication',
'AI-driven attack automation']},
'recommendations': ['Strengthen authentication mechanisms (e.g., multi-factor '
'authentication) for exposed management ports.',
'Monitor and restrict access to network edges.',
'Enhance threat intelligence sharing to detect AI-driven '
'attack tools early.',
'Conduct regular security audits of network appliances.'],
'references': [{'source': 'Team Cymru'},
{'source': 'Amazon Threat Intelligence'},
{'source': 'GitHub (Ed1s0nZ)'}],
'response': {'enhanced_monitoring': 'Team Cymru’s Scout platform, NetFlow '
'data analysis',
'third_party_assistance': 'Team Cymru, Amazon Threat '
'Intelligence'},
'threat_actor': ['GitHub user Ed1s0nZ',
'Chinese state actors',
'Knownsec 404 Starlink Project (linked to China’s MSS and '
'PLA)'],
'title': 'CyberStrikeAI: Open-Source AI Tool Targets Fortinet FortiGate '
'Devices in Global Campaign',
'type': 'Cyber Attack',
'vulnerability_exploited': 'Exposed management ports, weak authentication'}