ISLAMABAD: Pakistan’s National CERT has issued a high-alert cybersecurity warning after a global Fortinet breach compromised nearly 74,000 devices worldwide, putting critical networks at risk.
Authorities have urged government and private organizations to immediately secure their firewall and VPN systems against possible cyberattacks.
Global cyberattack targets fortinet systems
The National Computer Emergency Response Team (National CERT) warned government institutions, banks, telecom operators, energy companies, and other critical infrastructure organizations to take immediate action following a large-scale cyber intrusion campaign affecting internet-facing Fortinet devices across 194 countries.
According to the advisory, cybersecurity researchers identified approximately 73,932 compromised Fortinet FortiGate firewall instances, exposing administrative credentials and potentially allowing attackers to gain unauthorized access to enterprise and critical infrastructure networks.
National CERT said organizations using internet-exposed Fortinet FortiGate firewalls and SSL VPN gateways face an elevated risk of credential theft, unauthorized access, and network compromise.
Organized cybercriminal activity suspected
The advisory stated that the ongoing campaign is believed to involve organized cybercriminal groups carrying out credential harvesting, brute-force attacks, VPN credential exploitation, and post-compromise activities to infiltrate internal networks.
Attackers reportedly exploited publicly accessible FortiGate management interfaces and outdated credential storage mechanisms to obtain administrative access and establish persistent footholds inside targeted systems.
“The scale, sophistication, and active exploitation observed require organizations utilizing Fortinet FortiGate infrastructure to immediately assess their exposure, implement remediation measures, and conduct threat-hunting activities,” National CERT said.
Critical sectors at risk
National CERT warned that failure to identify and secure affected systems could lead to unauthorized administrative access, VPN compromise, theft of sensitive information, Active Directory breaches, installation of backdoors, data exfiltration, and unauthorized changes to firewall security policies.
The agency said compromised networks could expose government and corporate data, disrupt essential services, and create supply-chain risks through unauthorized access to connected third-party systems.
The sectors identified as highly vulnerable include:
- Government organizations
- Banks and financial institutions
- Telecommunications companies
- IT firms
- Healthcare providers
- Educational institutions
- Manufacturing industries
- Industrial automation operators
- Logistics companies
- Critical infrastructure organizations
Organizations advised to monitor suspicious activity
National CERT urged organizations to investigate signs of possible compromise, including:
- Unusual administrator logins from unfamiliar locations
- Access attempts outside normal working hours
- Newly created administrator accounts
- Suspicious VPN activity
- Unexpected firewall rule changes
- Unexplained privilege escalation
- Unusual outbound network traffic
- Unauthorized activity within Active Directory environments
Emergency security measures recommended
National CERT directed organizations to immediately remove FortiGate management interfaces from public internet exposure, update systems to the latest supported FortiOS versions, reset administrator passwords, and enable multi-factor authentication (MFA) for administrative and VPN accounts.
The advisory also recommended restricting management access to trusted networks, reviewing firewall policies and administrator accounts, improving security monitoring, and maintaining detailed activity logs.
Organizations have been advised to assume possible compromise if suspicious activity is detected, rotate administrative and service credentials, investigate firewall and VPN logs, audit Active Directory environments, and rebuild affected systems where necessary.
National CERT calls for immediate reporting
National CERT classified exposure reduction, credential rotation, MFA enforcement, and threat hunting as critical response measures.
The cybersecurity authority urged organizations to immediately report suspected firewall compromises, unauthorized administrative access, VPN abuse, or related malicious activity through official incident reporting channels.
National CERT emphasized that the incident should be treated as a potential cybersecurity breach requiring urgent investigation rather than a routine software vulnerability requiring only standard updates.


















