Ransomware Groups Are Scanning for Unpatched Fortinet Devices Within Hours of Disclosure
Our OSINT scanning infrastructure detected mass exploitation attempts against CVE-2026-1188 (Fortinet FortiOS SSL-VPN buffer overflow) within 4 hours of the public PoC being posted to GitHub. This represents a significant acceleration in threat actor response times.
Timeline Analysis
CVE-2026-1188 was disclosed on June 3rd at 14:00 UTC. A PoC was posted to GitHub at 16:22 UTC. Our honeypot network detected the first exploitation attempt at 20:47 UTC — just 4 hours and 25 minutes after PoC publication.
TREND: The average time-to-exploitation for critical network device CVEs has dropped from 72 hours in 2024 to under 6 hours in 2026. Patch windows are effectively gone for internet-facing infrastructure.
Recommendations
If you cannot patch immediately, disable SSL-VPN access and use IPsec VPN as an alternative. Enable FortiGuard IPS signatures for CVE-2026-1188. Review SSL-VPN access logs for anomalous authentication patterns from the past 30 days.
CVE ID
CVE-2026-1188
CVSS Score
9.2 / 10.0 — CRITICAL
Affected Products
- FortiOS 7.4.x
- FortiOS 7.2.x
- FortiProxy 7.4.x
Stay ahead of the threat landscape with ZeroDay Journal's OSINT-powered intelligence.
All Articles