Threat intelligence, controls, and response roadmaps

Fortinet FortiGate firewalls are among the most widely deployed perimeter security devices in enterprise networks, and a critical authentication bypass vulnerability is now being exploited by multiple threat groups to take complete control of these devices. The vulnerability grants unauthenticated attackers super-admin access — full administrative control over the firewall's configuration, logging, VPN tunnels, and routing rules. Once a FortiGate device is compromised, the attacker can disable security controls, create persistent backdoor access, intercept network traffic, and use the compromised device as a pivot point for lateral movement into the internal network. The severity of the vulnerability, combined with the massive number of exposed devices, makes this one of the most critical infrastructure-security events of 2026.

Technical analysis

CVE-2025-24472 is an authentication bypass vulnerability in FortiOS's Node.js-based management API. The vulnerability exists in the authentication middleware that validates administrative sessions for the web-based management interface and the REST API. A specially crafted HTTP request that manipulates the session-validation logic allows an unauthenticated attacker to establish an authenticated session with super-admin privileges — the highest privilege level on the device, with full access to all configuration, monitoring, and management functions.

The vulnerability affects FortiOS versions 7.0.0 through 7.0.16, 7.2.0 through 7.2.9, and 7.4.0 through 7.4.5. Fortinet has released patches in FortiOS 7.0.17, 7.2.10, and 7.4.6, and strongly recommends immediate upgrade. A temporary workaround — disabling HTTP/HTTPS administrative access to the management interface from the internet and restricting access to trusted management networks — mitigates the vulnerability but is not a permanent fix.

The vulnerability is trivially exploitable. Proof-of-concept exploit code was published within 48 hours of the initial advisory, and automated exploitation tools have been integrated into commodity attack frameworks. The exploitation requires only network connectivity to the FortiGate management interface — no authentication, no interaction with legitimate users, and no prior knowledge of the target's configuration. The attack leaves minimal artifacts on the device, making compromise difficult to detect through standard FortiGate logging without specific log-review procedures.

The vulnerability's severity is compounded by the common practice of exposing FortiGate management interfaces to the internet for remote administration. While Fortinet's security hardening guides have long recommended restricting management-interface access to trusted networks, operational convenience has led many organizations to keep management interfaces internet-accessible. Internet scans identify over 150,000 FortiGate management interfaces exposed to the public internet, each potentially vulnerable to this exploit.

Observed exploitation campaigns

Multiple threat groups are exploiting CVE-2025-24472 with different objectives. A Chinese state-sponsored group, tracked as UNC3886 by Mandiant, has been observed targeting FortiGate devices at defense contractors, telecommunications companies, and government agencies. The group establishes persistent access through firmware-level implants that survive FortiOS upgrades, a technique the group has used in previous FortiGate exploitation campaigns. The firmware implants modify the device's operating system to maintain backdoor access while hiding from standard integrity-verification tools.

Financially motivated ransomware groups have also adopted the exploit as an initial-access vector. Compromised FortiGate devices provide VPN credentials and network configuration information that enable attackers to enter the internal network as if they were authorized VPN users. Several ransomware incidents in February 2026 have been traced to initial access through exploited FortiGate devices, with the attackers using VPN tunnels to move laterally without triggering network-segmentation controls.

A third exploitation pattern involves the creation of administrative accounts on compromised devices that persist after patching. Attackers who compromise a FortiGate device before the patch is applied create new administrative accounts, often with names that mimic legitimate system accounts. When the organization applies the patch — addressing the authentication bypass vulnerability — the attacker-created accounts remain active, providing continued access that is not remediated by the patch alone.

Data-theft operations have been observed in several compromised environments. Attackers configure the compromised FortiGate to mirror network traffic to attacker-controlled infrastructure, capturing credentials, email content, and file transfers as they cross the firewall. This passive interception is particularly difficult to detect because it does not generate anomalous traffic patterns on the internal network — the attacker is simply copying traffic at a point through which it would normally flow.

Detection and forensic analysis

Detecting FortiGate compromise requires examination of device logs, configuration state, and firmware integrity. Key forensic indicators include the creation of new administrative accounts during the exploitation window, changes to VPN or firewall policies not attributable to authorized administrators, the presence of scheduled tasks or automation scripts on the device that were not created by the organization, and modifications to syslog or SNMP configurations that could redirect logging to prevent detection.

FortiOS audit logs should be reviewed for authentication events from unusual source IP addresses, particularly for sessions that achieved super-admin access without preceding failed authentication attempts — a signature pattern of authentication-bypass exploitation. If FortiGate logs are forwarded to a centralized SIEM, the SIEM should be configured with detection rules that flag these patterns.

Firmware integrity verification is essential for detecting persistent-access implants. Fortinet has published a firmware-verification tool that computes cryptographic hashes of the running firmware and compares them against known-good values. Devices whose firmware does not match the expected hash should be considered compromised, even if the FortiOS version appears current. Remediation of firmware-level compromises requires a factory reset and full firmware reinstallation from trusted media — a configuration backup-restore cycle is insufficient because the backup may include attacker-modified configuration elements.

Network-traffic analysis can identify traffic-mirroring configurations that indicate passive interception. The FortiGate's port-mirroring configuration should be reviewed for any mirroring rules that were not authorized by the network team. Additionally, unexpected outbound connections from the FortiGate management interface to external IP addresses may indicate command-and-control communication or data exfiltration through the compromised device.

Remediation and hardening

Immediate remediation requires patching to the fixed FortiOS versions (7.0.17, 7.2.10, or 7.4.6). Before patching, organizations should review all administrative accounts on the device and remove any accounts not recognized by the administration team. Post-patching, all remaining administrative credentials should be rotated — passwords, API keys, and certificate-based authentication credentials — because any of these may have been captured during the exploitation window.

VPN credentials should be treated as potentially compromised if the FortiGate device managed VPN authentication. All VPN users should be required to re-authenticate with reset credentials, and VPN session logs should be reviewed for access from unusual locations or at unusual times. If the FortiGate served as a RADIUS or LDAP authentication proxy, the upstream authentication infrastructure should also be assessed for compromise.

Management interface hardening should be implemented immediately regardless of patch status. FortiGate management interfaces should not be accessible from the public internet. Access should be restricted to dedicated management networks, jump hosts, or VPN-only access with multi-factor authentication. If internet-accessible management is operationally required, access should be restricted to specific source IP addresses and protected by client-certificate authentication in addition to username/password credentials.

Network monitoring should be enhanced for the FortiGate device tier. Implement monitoring for configuration changes, administrative account modifications, firmware integrity, and unusual traffic patterns to and from FortiGate management interfaces. These monitoring controls should be permanent additions to the security-monitoring program, not temporary measures for this specific incident.

Organizational response and communication

Organizations that identify confirmed compromise should activate their incident-response plans. The compromised FortiGate device is a network-infrastructure component with visibility into all traffic crossing the perimeter — compromise at this layer potentially exposes all communications that traversed the device during the exploitation period. The scope of investigation should reflect this exposure: credential compromise, data exfiltration, and lateral-movement assessments should encompass the entire network segment served by the compromised device.

Regulatory notification obligations may apply depending on the jurisdiction and the sensitivity of data that crossed the compromised device. GDPR breach notification, SEC cybersecurity incident disclosure, and sector-specific reporting obligations (HIPAA, PCI DSS) should be assessed based on the forensic findings. Organizations should engage legal counsel early to assess notification obligations before public disclosure or regulatory reporting deadlines arrive.

Communication with customers and partners should be prepared for organizations where the compromised FortiGate handled traffic containing third-party data. The communication should describe the incident, the remediation measures taken, and the steps the organization is taking to prevent recurrence. preventive, transparent communication generally produces better outcomes than delayed disclosure forced by regulatory action or third-party discovery.

Recommended immediate actions

Patch all FortiGate devices to the fixed FortiOS versions immediately. Prioritize internet-exposed devices but do not delay patching for internal devices, as compromised internet-facing devices may be used to attack internal FortiGate infrastructure.

Audit all administrative accounts on every FortiGate device in your environment. Remove any accounts that cannot be attributed to authorized administrators. Rotate all remaining administrative credentials including passwords, API keys, and certificates.

Restrict FortiGate management interfaces to trusted management networks. If internet-accessible management is currently in use, implement source-IP restrictions and client-certificate authentication as interim measures while planning a migration to VPN-only management access.

Review FortiGate logs for indicators of compromise during the pre-patch exposure window. Look for authentication events from unusual sources, unauthorized account creation, configuration changes, and traffic-mirroring rules. Engage incident-response resources if compromise indicators are identified.

What to expect

The FortiOS authentication bypass represents the latest in a series of critical vulnerabilities affecting enterprise perimeter-security devices — a pattern that includes Ivanti, Palo Alto, Citrix, and SonicWall products over the past two years. The recurring theme is that the devices organizations trust to protect their networks are themselves becoming the primary attack surface, and the consequences of their compromise are more severe than the compromise of any single endpoint because they provide network-wide visibility and control.

The strategic implication is clear: perimeter-security devices require the same rigorous vulnerability management, hardening, and monitoring that organizations apply to their most critical servers. The operational convenience of internet-accessible management interfaces must be weighed against the catastrophic risk of device compromise. For most organizations, the risk calculus has shifted decisively toward restricted management access, and the current exploitation campaign should be the catalyst for implementing that restriction permanently.

Token-based authentication is the foundation of modern cloud identity, and its weaknesses are being exploited at scale. This campaign demonstrates that multi-factor authentication, while essential, does not provide complete protection against credential theft when attackers operate at the token layer rather than the password layer. An adversary who captures a valid refresh token can access cloud resources as the compromised user — from any device, any location, without repeating the MFA challenge — until the token is revoked. The attack is particularly dangerous because it produces minimal forensic artifacts: token replay sessions appear as legitimate authenticated access from the user's perspective, making detection dependent on behavioral analytics rather than traditional authentication monitoring.

Attack methodology and token harvesting

The attack chain begins with adversary-in-the-middle (AiTM) phishing. The threat group operates phishing infrastructure built on the EvilGinx framework, which proxies the legitimate Microsoft login page to the victim while intercepting the authentication exchange in real time. When the victim enters their credentials and completes the MFA challenge, the phishing proxy captures the resulting session tokens — including the OAuth 2.0 refresh token — before forwarding the authenticated session to the victim. The victim experiences a normal login; the attacker receives a copy of the tokens.

The captured refresh tokens are then replayed from attacker-controlled infrastructure to request new access tokens from Microsoft Entra ID. Because refresh tokens are bearer tokens — their possession alone is sufficient for authentication — no additional MFA challenge is required. The attacker can generate fresh access tokens repeatedly until the refresh token expires or is revoked, maintaining persistent access for days, weeks, or potentially months depending on the organization's token-lifetime configuration.

The phishing campaigns use highly convincing lures targeting users of Microsoft 365, Teams, and SharePoint. Messages impersonate IT departments, HR, and executive leadership, directing recipients to credential-harvesting pages that are visually indistinguishable from legitimate Microsoft login screens. The phishing pages use valid TLS certificates and domain names that closely resemble the target organization's single-sign-on URLs, defeating visual inspection by even cautious users.

Post-token-capture activities proceed rapidly. Within minutes of obtaining a refresh token, the attackers access the victim's mailbox to identify high-value contacts and active business processes. They then use the compromised account to send internal phishing messages to additional targets within the organization, using the trust associated with the legitimate sender identity. This internal phishing chain dramatically accelerates lateral movement within the target organization.

Scope of compromise and business impact

The campaign has compromised organizations across financial services, technology, healthcare, and professional services, with confirmed incidents reported in at least twelve countries. The threat group's objectives are primarily financial: business email compromise targeting wire transfers, invoice redirection, and procurement fraud. Secondary objectives include access to sensitive documents, intellectual property, and business communications that can be monetized through extortion or sold to interested buyers.

Business email compromise losses attributable to the campaign are estimated in the tens of millions of dollars globally. In several documented cases, the attackers established inbox rules that forwarded copies of specific messages to external addresses, monitored financial communications for days to understand payment processes and vendor relationships, and then impersonated the compromised user to request fraudulent wire transfers timed to coincide with legitimate payment cycles.

The compromised refresh tokens also provide access to Azure resources if the affected user has Azure role assignments. In multiple incidents, the attackers used cloud-resource access to provision cryptocurrency-mining infrastructure using the victim organization's Azure subscription, generating significant unexpected cloud costs before detection. The combination of direct financial fraud and cloud-resource abuse amplifies the financial impact of each successful compromise.

Data-exfiltration activities focus on email archives, SharePoint document libraries, and OneDrive file stores accessible through the compromised identity. The attackers use Microsoft Graph API calls to enumerate and download files matching keywords associated with financial data, contractual agreements, and personally identifiable information. The use of legitimate API endpoints for data access makes exfiltration difficult to distinguish from normal user activity without behavioral analytics.

Detection strategies and forensic indicators

Detecting token-replay attacks requires monitoring for behavioral anomalies that distinguish legitimate token usage from attacker-operated sessions. The primary detection signals involve geolocation inconsistencies — token usage from IP addresses and regions inconsistent with the user's normal access patterns — and device fingerprint mismatches, where a token issued to one device type and operating system is used from a different device configuration.

Microsoft's Entra ID sign-in logs provide several signals useful for detection. The "Token Issuer Type" field distinguishes between tokens issued through interactive authentication and those obtained through refresh-token redemption. Unusual patterns of refresh-token redemption — particularly from new IP addresses or device identifiers — warrant investigation. The "Risk Level" field in Entra ID Identity Protection may flag token-replay sessions as risky based on Microsoft's own anomaly-detection models, but this detection is not guaranteed and should be supplemented with organizational monitoring.

Mail-flow anomalies provide secondary detection signals. The creation of new inbox rules, particularly rules that forward messages to external addresses or move messages to less-visible folders, is a strong indicator of account compromise. Monitoring for inbox-rule changes through the Microsoft 365 audit log should be a standard detection control for all organizations.

Microsoft Graph API activity monitoring detects data-exfiltration patterns. Unusual volumes of file downloads, enumeration of SharePoint sites not previously accessed by the user, or OneDrive download patterns inconsistent with the user's normal activity profile indicate potential compromise. Organizations should baseline normal Graph API usage patterns for each user and alert on significant deviations.

Token lifecycle management and remediation

Effective defense against token-replay attacks requires active management of token lifetimes and revocation capabilities. Microsoft's Continuous Access Evaluation (CAE) feature enables near-real-time token revocation when security events are detected, reducing the window of vulnerability from the default refresh-token lifetime to minutes. Organizations should ensure CAE is enabled for all Entra ID applications that support it.

Token-lifetime policies should balance security with usability. Shorter refresh-token lifetimes reduce the duration of potential compromise but increase the frequency of re-authentication prompts that disrupt user workflows. Microsoft's recommended approach uses conditional-access policies to enforce shorter token lifetimes for sessions exhibiting risk signals — such as access from new locations or unmanaged devices — while allowing longer lifetimes for sessions that meet compliance conditions.

Remediation of confirmed compromises requires immediate token revocation for all affected accounts, followed by a forced re-authentication that invalidates all existing sessions. The Revoke-AzureADUserAllRefreshToken PowerShell command (or its Microsoft Graph equivalent) invalidates all refresh tokens for a specified user, forcing re-authentication across all devices and applications. This action should be complemented by a password reset and MFA re-registration to ensure the attacker cannot re-establish access through previously harvested credentials.

Post-compromise investigation should examine the full scope of the attacker's access: mailbox rules, file-access patterns, Azure role assignments, and delegated application permissions. Attackers commonly establish persistence through consent-grant attacks that assign application permissions to attacker-controlled applications, providing API-level access that survives user-credential remediation. Application consent logs should be reviewed and any unauthorized application grants revoked immediately.

Phishing-resistant authentication as structural mitigation

The fundamental structural mitigation for AiTM phishing is phishing-resistant authentication that prevents token harvesting at the authentication layer. FIDO2 security keys and Windows Hello for Business bind the authentication credential to the legitimate authentication endpoint through cryptographic channel binding. Because the credential is cryptographically linked to the real Microsoft login server, it cannot be replayed through a phishing proxy — the proxy receives a cryptographic response that is invalid for any endpoint other than the one the user intended to authenticate to.

Device-bound token protection extends phishing resistance to the token layer. When configured, Entra ID binds tokens to the device on which they were issued, preventing their use from any other device. An attacker who captures a refresh token through a phishing proxy cannot replay it from their own infrastructure because the token is cryptographically bound to the victim's device. Device-bound tokens require managed devices enrolled in Intune or compliant with device-compliance policies.

Conditional-access policies that require compliant devices, managed applications, and phishing-resistant authentication methods provide defense-in-depth against the entire attack chain. Organizations should implement conditional-access policies that enforce these requirements for access to sensitive resources — email, financial systems, administrative portals — even if universal enforcement across all applications is not immediately feasible.

Recommended immediate actions

Enable Continuous Access Evaluation for all supported applications in Entra ID. Verify that conditional-access policies are configured to enforce device compliance and risk-based session controls for access to sensitive resources.

Deploy phishing-resistant authentication — FIDO2 security keys or Windows Hello for Business — for high-value accounts including executives, finance personnel, IT administrators, and any user with privileged Azure role assignments. Transition remaining users to phishing-resistant methods as rapidly as organizational logistics allow.

Implement detection monitoring for token-replay indicators: geolocation anomalies in sign-in logs, device-fingerprint mismatches, unusual inbox-rule creation, and anomalous Graph API activity patterns. Integrate these detections into the SOC workflow with defined response procedures.

Conduct a review of application consent grants across the Entra ID tenant. Identify and revoke any application permissions that cannot be attributed to legitimate business use. Implement consent-governance policies that require administrator approval for new application consent grants.

Assessment and outlook

The Entra ID token-replay campaign illustrates a structural challenge in token-based authentication: tokens are bearer credentials whose possession alone confers access, and the protections designed to limit their misuse — short lifetimes, device binding, continuous evaluation — are not universally deployed. The campaign will accelerate enterprise adoption of phishing-resistant authentication and device-bound tokens, but the transition will take years, leaving a window of vulnerability that financially motivated attackers will continue to exploit.

For security leaders, the strategic lesson is that MFA is necessary but not sufficient. The authentication-security conversation must expand from "do we have MFA?" to "is our MFA phishing-resistant, are our tokens device-bound, and do we have the behavioral analytics to detect token misuse?" Organizations that ask and answer these questions will be materially better protected against the credential-theft campaigns that are now the dominant initial-access vector for both financially motivated and state-sponsored threat actors.

The adoption of AI tools by ransomware operators has moved from speculative concern to observed reality. Threat-intelligence vendors documenting multiple ransomware-as-a-service (RaaS) ecosystems now report that AI-generated phishing content, automated reconnaissance scripting, and adaptive evasion tactics are being used in production attack campaigns targeting enterprises across sectors. The shift does not represent a fundamental change in ransomware mechanics — the kill chain still progresses from initial access through lateral movement to exfiltration and encryption — but it accelerates each phase and raises the sophistication floor for even low-skill affiliates. this analysis examines the observed techniques, assesses the defensive implications, and recommends countermeasures.

AI-enhanced phishing campaigns

Threat intelligence from multiple vendors confirms that ransomware affiliates are using large language models to generate phishing emails that are significantly more effective than traditional template-based campaigns. The AI-generated messages are grammatically flawless, contextually appropriate, and personalized using information scraped from LinkedIn profiles, corporate websites, and previous data breaches. Unlike mass-distributed spam that relies on volume, these campaigns target specific individuals with messages crafted to match their professional role, organizational context, and communication patterns.

Business email compromise (BEC) variants are particularly effective. The AI-generated messages impersonate executives, vendors, and legal counsel with a level of linguistic authenticity that is difficult for recipients to distinguish from legitimate correspondence. In several documented campaigns, the phishing messages referenced real ongoing projects, used the correct internal terminology of the target organization, and mimicked the writing style of the impersonated sender. This level of personalization was previously achievable only by state-sponsored groups with dedicated intelligence resources; AI tools have made it accessible to financially motivated criminal operations.

Multi-language capability has expanded the geographic scope of ransomware phishing. Campaigns that previously focused on English-speaking targets now produce equally convincing messages in German, French, Japanese, Portuguese, and other languages, enabling affiliates to target organizations in regions that were previously protected by language barriers. The operational cost of localizing phishing campaigns has dropped to near zero, removing a natural constraint on global targeting.

Defenders face a fundamental challenge: AI-generated phishing content defeats many of the heuristics that traditional email security gateways use to identify phishing. Spelling errors, grammatical irregularities, and formatting anomalies — long used as indicators of malicious messages — are absent from AI-crafted content. Detection must shift toward behavioral signals: sender authentication anomalies, unusual request patterns, link-destination analysis, and contextual-relevance scoring that evaluates whether a message is consistent with the recipient's expected communication patterns.

Automated reconnaissance and living-off-the-land techniques

Post-exploitation activities are also benefiting from AI augmentation. Ransomware operators are using language models to generate PowerShell, WMI, and LDAP queries that perform Active Directory reconnaissance, privilege enumeration, and lateral-movement planning using only legitimate system administration tools. The generated scripts are syntactically diverse — each variant uses different command structures, variable names, and execution patterns — making signature-based detection ineffective because no two campaign instances produce identical artifacts.

The living-off-the-land (LOTL) approach minimizes the attacker's need to deploy custom malware, which is the class of artifact that endpoint detection and response (EDR) tools are most effective at identifying. Instead, the attacker accomplishes reconnaissance and movement objectives using built-in operating system utilities — net.exe, nltest.exe, PowerShell, cmd.exe, certutil.exe — that are present on every Windows system and whose execution is often not flagged by default security configurations.

AI-generated scripts demonstrate a concerning ability to adapt to defensive environments. When initial reconnaissance commands fail or trigger alerts, the operators iteratively modify their approach using AI-assisted troubleshooting. In one documented campaign, an attacker attempted three different methods of extracting Kerberos ticket data over the course of 45 minutes, each time adjusting the technique based on error messages and apparent monitoring responses. This adaptive behavior, which previously required experienced human operators, can now be conducted by affiliates with minimal technical skill using AI as a force multiplier.

Credential harvesting has become more systematic. AI-assisted attackers generate targeted credential-phishing pages for internal applications — intranet portals, VPN login pages, and cloud-service authentication screens — that are hosted on compromised internal infrastructure. These internal phishing pages bypass many external threat-intelligence feeds because they operate entirely within the organization's network perimeter. The harvested credentials fuel further lateral movement and privilege escalation.

Dwell-time compression and accelerated encryption

The combined effect of AI-enhanced initial access and automated post-exploitation is a compression of dwell time — the interval between initial compromise and the initiation of encryption. Median dwell time for ransomware incidents has declined from approximately 5 days in 2024 to under 48 hours in recent campaigns documented by CrowdStrike and Mandiant. Several incidents progressed from initial phishing email to full-domain encryption in under 24 hours.

This compression has direct implications for detection and response. Security operations centers (SOCs) that rely on analyst-driven investigation workflows measured in days rather than hours are structurally unable to respond before encryption begins. The OODA loop — observe, orient, decide, act — must operate within hours, not days, to have any chance of containing a modern ransomware intrusion before the damage is done.

Data exfiltration now precedes encryption, ensuring that the threat actor retains use even if the victim's backup and recovery systems are effective. AI tools accelerate the exfiltration-target identification process by scanning file systems for keywords associated with sensitive data — financial records, customer databases, intellectual property, legal documents — and prioritizing the highest-value targets for rapid extraction. The result is more focused, efficient exfiltration that extracts maximum use material in minimum time.

The double-extortion model — combining encryption-based disruption with data-leak threats — is now nearly universal among sophisticated ransomware groups. AI-generated ransom notes are also more persuasive, professionally written, and tailored to the victim's perceived financial capacity. Some groups have been observed using AI to draft customized negotiation strategies based on the victim organization's size, industry, and insurance coverage.

Defensive countermeasures and detection strategies

Defending against AI-enhanced ransomware requires a shift from signature-based detection to behavioral analytics and anomaly detection. EDR solutions must be configured to detect suspicious patterns of legitimate tool usage — sequences of reconnaissance commands, bulk credential access attempts, rapid file enumeration — rather than relying on the presence of known malicious binaries.

Email security must evolve beyond content analysis to incorporate authentication-based detection. DMARC, DKIM, and SPF authentication provide foundational protections against domain spoofing. Advanced email-security platforms that analyze sender behavior patterns, communication-graph anomalies, and request context can identify AI-generated phishing that passes traditional content filters. Organizations should also implement out-of-band verification procedures for high-risk requests — wire transfers, credential resets, access changes — that cannot be circumvented by email compromise alone.

Network-level detection should focus on lateral-movement indicators: unusual SMB session patterns, anomalous LDAP queries, Kerberos ticket requests for services not typically accessed by the requesting account, and data-movement volumes inconsistent with normal operations. Network detection and response (NDR) platforms that baseline normal network behavior and alert on deviations provide visibility that endpoint-focused tools may miss.

Identity-based security measures offer the highest-use defenses. Phishing-resistant multi-factor authentication — hardware security keys, FIDO2 tokens, certificate-based authentication — eliminates the credential-harvesting vector that AI-enhanced phishing is designed to exploit. Privileged-access management (PAM) systems that enforce just-in-time access and session recording limit the damage an attacker can inflict with compromised credentials. Identity threat detection and response (ITDR) platforms that monitor authentication patterns across the identity infrastructure provide early warning of credential misuse.

Organizational resilience and preparedness

Technical controls alone are insufficient without organizational preparedness. Tabletop exercises simulating AI-enhanced ransomware scenarios help leadership and response teams develop decision-making speed for compressed-timeline incidents. Exercises should test the organization's ability to detect, contain, and communicate about an intrusion within a 24-hour window — the realistic response window for modern ransomware attacks.

Backup and recovery systems must be validated against modern ransomware tactics. Immutable backups stored in isolated environments that cannot be reached from the production network are essential. Recovery time objectives should be tested regularly through full-scale restoration drills. Organizations that discover their backup systems are inadequate during an actual incident face catastrophic consequences.

Cyber-insurance coverage should be reviewed in light of evolving ransomware tactics. Insurers are tightening underwriting requirements and now requiring evidence of specific controls — MFA, EDR, PAM, offline backups — as conditions of coverage. Organizations that cannot demonstrate adequate controls may face coverage denials or premium increases that materially affect their risk-transfer strategy.

Recommended immediate actions

Deploy phishing-resistant MFA across all accounts with access to sensitive systems and data. Hardware security keys or FIDO2 passkeys should replace SMS and TOTP-based MFA for high-risk accounts including administrators, executives, and finance personnel.

Configure EDR solutions to alert on suspicious sequences of legitimate tool usage rather than relying exclusively on malware-signature detection. Work with your EDR vendor to tune detection rules for LOTL reconnaissance patterns specific to your environment.

Conduct a tabletop exercise simulating a ransomware attack with a 24-hour timeline from initial compromise to encryption. Test the organization's detection, containment, communication, and recovery capabilities under realistic time pressure.

Validate backup and recovery systems through a full-scale restoration drill. Verify that backups are immutable, stored in isolated environments, and recoverable within documented time objectives.

Assessment and outlook

AI-enhanced ransomware represents an acceleration of existing trends rather than a fundamentally new threat category. The kill chain remains the same, but each stage is faster, more effective, and more difficult to detect. The defensive implications are straightforward: organizations must move faster, detect more subtly, and build resilience that assumes prevention will sometimes fail.

The asymmetry between offensive and defensive AI use cases is likely to persist. Attackers benefit from AI's ability to generate plausible content and automate routine tasks, while defenders face the harder challenge of distinguishing subtle anomalies from normal behavior across vast volumes of data. Closing this gap requires sustained investment in detection capability, response speed, and organizational preparedness — investments that many organizations have deferred and can no longer afford to delay.

A coordinated exploitation campaign targeting Ivanti Connect Secure VPN appliances has triggered the first CISA Emergency Directive of 2026. Two previously unknown vulnerabilities — a stack-based buffer overflow in the web management interface and an authentication bypass in the SAML module — are being chained together by a sophisticated threat group to gain persistent root-level access to enterprise networks. The campaign has been active since at least mid-December 2025, meaning many organizations were compromised weeks before public disclosure. The scale and severity of this campaign demand immediate action from every organization running affected appliances.

Technical analysis

CVE-2026-0867 is a stack-based buffer overflow in the Connect Secure web management interface. Specially crafted HTTPS requests to the management endpoint trigger the overflow in the authentication-processing component, enabling unauthenticated remote code execution with root privileges. No valid credentials or prior access is required — any attacker who can reach the management interface over the network can exploit the flaw.

CVE-2026-0868 is an authentication bypass in the SAML single-sign-on module. It allows an attacker to forge valid authentication tokens and establish VPN sessions without possessing valid user credentials. On its own this vulnerability provides unauthorized network access; combined with CVE-2026-0867 it enables a complete attack chain from initial access through the management plane to persistent internal network presence via the VPN data plane.

The exploitation sequence observed in the wild proceeds in stages. First, the attacker exploits CVE-2026-0867 to execute arbitrary commands on the appliance. A lightweight web shell is deployed within seconds, providing interactive command execution through the existing HTTPS service. The attacker then modifies the appliance's firmware partition — not just the software partition — to install a persistent backdoor that survives both reboots and standard software updates. This firmware-level persistence is the campaign's most dangerous characteristic because it means patching the application software alone does not eradicate the threat.

Internet-facing scans identify over 30,000 Ivanti Connect Secure appliances exposed to the public internet globally. A subset of these expose the management interface, creating the initial attack surface. Even organizations that restrict management access to internal networks are not immune if their internal networks have already been compromised through other means, but internet-exposed management interfaces represent the primary and most urgent risk.

Threat actor attribution and targeting

Mandiant, Microsoft Threat Intelligence, and the UK's National Cyber Security Centre attribute the campaign to a Chinese state-sponsored group tracked as UNC5337 by Mandiant and Volt Typhoon–adjacent by other vendors. The group has a documented history of targeting network-edge appliances — routers, VPN concentrators, and firewalls — for initial access to high-value networks. Previous campaigns targeted Citrix NetScaler, Fortinet FortiOS, and earlier Ivanti vulnerabilities in 2023 and 2024.

Confirmed targets span at least fifteen countries and include U.S. federal civilian agencies, defense-ministry networks in three NATO member states, major telecommunications operators in Southeast Asia, and critical-infrastructure operators in the energy and water sectors. The breadth of targeting indicates strategic intelligence-collection objectives rather than financially motivated cybercrime.

Post-exploitation tradecraft is disciplined and stealthy. The attackers use living-off-the-land techniques — using legitimate system tools rather than dropping conspicuous malware — to conduct Active Directory reconnaissance, harvest credentials, and move laterally to domain controllers. Data exfiltration is routed through encrypted tunnels to legitimate cloud-storage services, blending with normal business traffic. Forensic timestamps on compromised appliances have been deliberately altered to impede investigation timelines.

The pre-disclosure exploitation window — estimated at five to six weeks — means that many organizations were compromised before any public indicator of compromise was available. This window highlights the asymmetric advantage that zero-day capabilities confer on well-resourced threat actors and highlights the limitations of reactive, patch-based security strategies for network-edge infrastructure.

Emergency directives and mitigation guidance

CISA's Emergency Directive 26-02 mandates that all U.S. federal civilian agencies apply Ivanti's emergency patches within 48 hours and complete forensic analysis of affected appliances within 72 hours. Agencies must also run Ivanti's enhanced Integrity Checker Tool (ICT) in its most thorough mode and report results to CISA. The directive explicitly states that patching alone is insufficient — forensic verification is required because the firmware-level persistence mechanism survives software updates.

For organizations that cannot patch immediately, Ivanti has released XML configuration mitigations that disable the vulnerable SAML module and restrict management-interface access to a specified allowlist of IP addresses. These mitigations reduce the attack surface but do not address the underlying vulnerabilities and should be treated as stopgap measures. Organizations implementing mitigations rather than patches must accelerate their patching timeline and accept elevated residual risk.

Five Eyes partner agencies — the NCSC (UK), ACSC (Australia), CCCS (Canada), and NCSC-NZ (New Zealand) — have issued coordinated advisories containing detection signatures, YARA rules for web-shell identification, and network indicators of compromise. The advisories recommend monitoring for unusual process creation on VPN appliances, outbound connections to known command-and-control infrastructure, and modifications to system files in the firmware partition.

Network-level detection should focus on anomalous VPN session patterns: sessions originating from IP addresses inconsistent with the organization's normal user population, sessions with unusual duration or data-transfer volumes, and authentication events for accounts not typically associated with VPN access. SIEM correlation rules that flag these patterns against the published indicators provide the strongest detection capability short of full forensic examination.

Forensic investigation procedures

Every organization running Ivanti Connect Secure should conduct forensic analysis regardless of whether indicators of compromise have been observed. The campaign's stealth techniques mean that compromised appliances may show no anomalies through routine monitoring. Forensic analysis should examine the appliance filesystem for unauthorized modifications, compare running firmware against known-good baselines, review authentication logs for anomalous patterns, and analyze network-traffic records for exfiltration indicators.

Ivanti's enhanced ICT performs cryptographic validation of filesystem contents against vendor-signed baselines. It detects the specific persistence mechanisms used by UNC5337 and flags modifications to the firmware partition that would not appear in standard software-integrity checks. Organizations should run the ICT before and after patching to capture both pre-existing compromise and any modifications introduced during the patch-application process.

Memory forensics can reveal malware that operates entirely in volatile memory without touching the filesystem. The custom implant deployed by UNC5337 includes memory-resident components that intercept authentication traffic and exfiltrate credentials in real time. Specialized memory-acquisition tools for the Ivanti platform are available through Mandiant and CrowdStrike incident-response engagements.

If compromise is confirmed, the response must extend well beyond the VPN appliance itself. Credential rotation is necessary for every account that has authenticated through the compromised infrastructure. Active Directory should be audited for unauthorized persistence mechanisms such as golden-ticket attacks, rogue service-principal names, and modified group-policy objects. Network segmentation should be tightened to contain any secondary access the attacker may have established through lateral movement.

Architectural lessons and zero-trust implications

This campaign reinforces a structural lesson that the security community has been articulating for years: concentrating network trust in edge appliances creates catastrophic single points of failure. A compromised VPN concentrator provides the attacker with the same broad network access that the appliance grants to legitimate users. When the appliance is the perimeter, compromising it is equivalent to bypassing the perimeter entirely.

Zero-trust network architecture addresses this weakness by eliminating the assumption that any single component — including the VPN — can be unconditionally trusted. Per-application access policies, continuous authentication, device-health verification, and micro-segmentation collectively limit the blast radius of any single compromise. The transition from perimeter VPN to zero-trust is a multi-year effort, but events like this campaign accelerate organizational commitment and budget allocation.

In the near term, organizations can reduce risk by segmenting the network zones reachable through VPN connections. Placing critical assets — domain controllers, financial systems, intellectual-property repositories — behind additional authentication gates ensures that compromised VPN credentials alone are insufficient to reach the most sensitive resources. Privileged-access workstations and jump servers for administrative tasks provide further containment.

Procurement teams should incorporate vendor security track records into appliance selection decisions. The recurring pattern of critical zero-day vulnerabilities in VPN products from multiple vendors suggests systemic quality challenges in this product category. Vendor commitments to secure-by-design principles, rapid patch delivery, and transparent vulnerability disclosure should carry significant weight in procurement evaluations alongside feature comparisons and pricing.

Recommended immediate actions

Apply Ivanti emergency patches to all Connect Secure appliances within the next 48 hours. If patching is not immediately feasible, implement the XML configuration mitigations and restrict management-interface access to a strict IP allowlist. Prioritize appliances with internet-exposed management interfaces.

Run the Ivanti ICT on every appliance and engage incident-response support immediately if any anomaly is detected. Do not assume that absence of known IOCs means absence of compromise — the attackers have demonstrated the ability to operate below the detection threshold of standard monitoring tools.

Implement enhanced monitoring on all network segments reachable through Ivanti VPN infrastructure. Focus on credential-use anomalies, lateral-movement indicators, and data-exfiltration patterns. Update SIEM rules with the published IOCs from the Five Eyes advisories.

Begin planning for longer-term architectural improvements that reduce organizational dependence on VPN-appliance integrity. Evaluate zero-trust access solutions, network segmentation enhancements, and privileged-access management tools as priority investments for the current budget cycle.

What to expect

The Ivanti Connect Secure campaign is the most significant VPN-appliance exploitation event since the Fortinet FortiOS campaigns of 2024. It demonstrates that state-sponsored actors continue to invest heavily in zero-day capabilities targeting network-edge infrastructure and that the operational window between exploitation and disclosure can extend for weeks, leaving defenders in a reactive posture.

For CISOs, the immediate priority is tactical: patch, verify, and hunt. But the strategic takeaway is equally important. Every organization that relies on a VPN concentrator as its primary remote-access mechanism should be accelerating its zero-trust roadmap. The question is not whether another VPN zero-day will emerge — it is when, and whether the organization's architecture limits the damage when it does.

The EU Network and Information Security Directive 2 (NIS2) has entered active enforcement in January 2026, transitioning from compliance preparation to regulatory action. Supervisory authorities across EU member states are conducting audits, reviewing compliance documentation, and initiating enforcement proceedings against non-compliant organizations. The directive significantly expands the scope of covered entities beyond the original NIS Directive, bringing essential and important entities across 18 sectors under harmonized cybersecurity obligations. Organizations face substantial penalties—up to €10 million or 2% of global annual turnover—alongside potential personal liability for senior management. The enforcement phase demands demonstrable compliance rather than compliance planning.

Expanded scope and coverage

NIS2 dramatically expands the scope of covered entities compared to its predecessor. The directive applies to organizations across 18 sectors designated as essential or important based on their criticality to European society and economy. Essential entities include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space sectors.

Important entities span additional sectors including postal and courier services, waste management, chemical manufacturing, food production and distribution, medical device manufacturing, and digital providers including online marketplaces, search engines, and social networking platforms. The thorough coverage brings many organizations under EU cybersecurity regulation for the first time.

Size thresholds determine applicability for most sectors. Medium and large enterprises meeting either 50+ employees or €10+ million annual turnover fall within scope. Certain critical sectors have no size threshold—all organizations operating in those areas must comply regardless of size. Member state variations in sector classification require country-specific analysis for organizations operating across multiple jurisdictions.

Supply chain exposure extends NIS2's reach beyond directly regulated entities. Essential and important entities must ensure their suppliers meet appropriate cybersecurity standards. Organizations not directly subject to NIS2 may face contractual requirements from regulated customers, effectively extending compliance obligations throughout value chains.

Executive accountability requirements

NIS2 establishes unprecedented executive accountability for cybersecurity within the EU regulatory framework. Management bodies of essential and important entities must approve and oversee cybersecurity risk management measures. This requirement makes cybersecurity a board-level responsibility rather than solely an IT function concern.

Senior management must undergo cybersecurity training to fulfill oversight responsibilities effectively. The directive requires that management bodies possess sufficient knowledge to understand and evaluate cybersecurity risks. Training obligations ensure that executive oversight is informed rather than nominal.

Personal liability provisions create individual accountability for management body members. Failure to adequately oversee cybersecurity risk management can result in personal sanctions. Member states have discretion regarding specific liability measures, but the directive mandates that effective enforcement mechanisms exist.

The accountability framework requires documented evidence of management involvement. Board minutes, risk committee records, and executive briefing materials should demonstrate active engagement with cybersecurity governance. Regulators examining compliance will assess whether management oversight is substantive or superficial.

Risk management obligations

NIS2 mandates thorough cybersecurity risk management measures proportionate to organizational risk exposure. The directive specifies minimum measure categories rather than prescriptive technical controls, allowing organizations to implement appropriate solutions for their contexts. Required measure categories include policies on risk analysis and information security, incident handling, business continuity, supply chain security, network security, and vulnerability handling.

Human resources security measures must address cybersecurity throughout the employment lifecycle. Background verification, security awareness training, and access management tied to role changes protect against insider threats and human error. Organizations must demonstrate systematic approaches to personnel security rather than ad hoc practices.

Multi-factor authentication and encryption requirements apply where appropriate to protect critical systems and sensitive data. The directive stops short of mandating specific technologies but expects organizations to implement strong authentication and data protection measures aligned with current best practices.

Risk assessments must be current and thorough. Point-in-time assessments are insufficient; organizations must maintain ongoing awareness of their risk posture. Changes to systems, threats, or organizational context should trigger risk assessment updates. Documented risk management processes enable regulators to evaluate compliance during audits.

Incident reporting requirements

NIS2 establishes strict incident reporting timelines that differ significantly from previous requirements. Organizations must provide early warning within 24 hours of becoming aware of a significant incident. This initial notification need not contain complete information but must alert supervisory authorities to the situation.

Incident notification within 72 hours must include an initial assessment of the incident, including its severity and impact. This timeline aligns with GDPR breach notification requirements, though NIS2 covers a broader range of incidents beyond personal data breaches.

Final reports must be submitted within one month of incident notification. Reports must include detailed descriptions of the incident, root cause analysis, and mitigation measures applied. The reporting sequence enables authorities to coordinate responses while ensuring thorough documentation for future prevention efforts.

Significant incidents trigger reporting obligations based on impact criteria. Incidents causing operational disruption, affecting service availability to significant numbers of users, or creating material financial or reputational damage qualify as significant. Organizations must establish classification procedures enabling rapid determination of reporting obligations.

Supply chain security requirements

NIS2 requires covered entities to address supply chain security comprehensively. Organizations must assess cybersecurity risks associated with direct suppliers and service providers. The assessment should consider supplier security practices, product quality, and the criticality of supplied products or services.

Contractual requirements must be incorporated into agreements with suppliers. Security requirements, audit rights, incident notification obligations, and security-related service level agreements should be documented. Existing contracts may require amendment to meet NIS2 standards.

Ongoing supplier monitoring ensures continued compliance. Initial due diligence is insufficient; organizations must maintain awareness of supplier security posture over time. Significant supplier incidents or security posture changes should trigger reassessment of the relationship.

The supply chain provisions extend NIS2's influence beyond directly regulated entities. Suppliers to essential and important entities face contractual cybersecurity requirements even if not directly subject to the directive. This cascading effect significantly expands the population of organizations affected by NIS2.

Enforcement and penalties

NIS2 establishes substantial penalty frameworks for non-compliance. Essential entities face maximum administrative fines of €10 million or 2% of total annual worldwide turnover, whichever is higher. Important entities face maximum fines of €7 million or 1.4% of turnover. These penalty levels reflect the directive's seriousness of intent.

Supervisory authorities have thorough enforcement powers. Beyond financial penalties, authorities can issue binding instructions requiring specific remediation actions. Authorities can conduct audits, request evidence, and require independent security assessments. In serious cases, authorities can suspend certifications or authorizations necessary for business operations.

Personal sanctions for management body members add individual accountability to organizational penalties. While specific measures vary by member state, the directive requires that personal consequences exist for management failures. This provision ensures that executives cannot insulate themselves from cybersecurity compliance failures.

Enforcement activity is increasing across member states in early 2026. Supervisory authorities are conducting audits, issuing compliance notices, and in some cases initiating penalty proceedings. Organizations that deferred compliance pending enforcement are now facing regulatory attention.

60-day priority list

• Confirm organizational classification as essential or important entity across operating jurisdictions.
• Verify management body training completion and documentation.
• Assess risk management measures against NIS2 minimum requirements.
• Review incident detection and reporting capabilities against timeline requirements.
• Evaluate supply chain security practices and contract provisions.
• Brief senior management on personal liability provisions and compliance status.
• Document compliance evidence for potential supervisory authority review.
• Engage legal counsel on member state-specific requirements and enforcement risks.

Bottom line

NIS2 enforcement in January 2026 marks a significant escalation in EU cybersecurity regulation. The expanded scope brings many organizations under harmonized cybersecurity requirements for the first time. Executive accountability provisions make cybersecurity a board-level concern with personal liability implications. Organizations must demonstrate compliance rather than merely plan for it.

The penalty framework provides substantial enforcement incentive. Fines reaching 2% of global turnover create material financial exposure for non-compliance. Personal sanctions for management add individual accountability that financial penalties alone cannot provide.

Supply chain provisions extend NIS2's influence beyond directly regulated entities. Organizations throughout value chains face contractual security requirements driven by their customers' NIS2 obligations. The directive's practical reach exceeds its formal scope through these cascading requirements.

This analysis recommends that organizations verify their NIS2 classification, assess compliance status against directive requirements, and document evidence of management engagement and risk management practices. The enforcement phase demands substantive compliance demonstrated through auditable evidence rather than compliance planning documentation.