
Pakistan’s National Computer Emergency Response Team (National CERT) has issued a critical cybersecurity advisory, warning government departments, financial institutions, telecommunications operators, energy companies and other critical infrastructure organizations to immediately strengthen the security of their Fortinet firewall and virtual private network (VPN) systems following a massive global cyber intrusion campaign.
The National CERT cybersecurity advisory comes after cybersecurity researchers uncovered a widespread compromise involving nearly 74,000 internet-facing Fortinet FortiGate firewall devices across 194 countries, raising concerns that attackers may have gained unauthorized access to sensitive enterprise and government networks.
According to the advisory, approximately 73,932 Fortinet FortiGate firewall instances were found to have been compromised during the campaign, exposing administrative credentials and significantly increasing the risk of unauthorized access to organizations around the world.
National CERT Warns of Widespread Fortinet Cyber Threat
National CERT warned that the campaign presents an elevated cyber threat to both Pakistan’s public and private sectors, particularly organizations that operate internet-exposed Fortinet FortiGate firewalls or SSL VPN gateways.
The advisory said the attacks appear to have been carried out by organized cybercriminal groups conducting coordinated operations designed to harvest credentials, crack VPN passwords, launch brute-force attacks and move laterally across internal enterprise networks after gaining initial access.
According to National CERT, the attackers exploited publicly accessible FortiGate management interfaces and legacy credential storage mechanisms to obtain administrator-level access before establishing persistent access inside victim organizations.
The advisory emphasized that the scale and sophistication of the campaign require immediate action from organizations using Fortinet infrastructure.
“The scale, sophistication and active exploitation observed require organizations utilizing Fortinet FortiGate infrastructure to immediately assess their exposure, implement remediation measures and conduct threat-hunting activities,” National CERT said.
Officials warned that organizations failing to investigate and secure potentially compromised systems could face serious cybersecurity consequences.
Potential Risks for Government and Businesses
Potential risks include unauthorized administrative access, compromise of VPN gateways, theft of sensitive usernames and passwords, breaches of Active Directory environments, installation of persistent backdoors, theft of confidential data and manipulation of firewall security configurations.
National CERT also cautioned that successful attacks could expose highly sensitive government and corporate information, interrupt critical public services and create supply-chain security risks through unauthorized access to connected third-party systems.
The advisory identified a broad range of sectors facing heightened risk from the ongoing cyber campaign.
These include government ministries and agencies, telecommunications companies, banks and other financial institutions, information technology firms, healthcare organizations, educational institutions, manufacturing companies, industrial automation operators, logistics providers and operators of other critical national infrastructure.
Warning Signs Organizations Should Investigate
To help organizations determine whether they may already have been compromised, National CERT outlined several warning signs that security teams should investigate immediately.
These include administrator logins originating from unusual countries or geographic locations, system access outside normal business hours, newly created administrator accounts, suspicious VPN authentication attempts, unexpected changes to firewall rules, unexplained privilege escalation, abnormal outbound network traffic and evidence of lateral movement within Active Directory environments.
The advisory urged organizations to treat any such indicators as potential evidence of compromise requiring immediate investigation rather than isolated security incidents.
National CERT Issues Immediate Security Recommendations
As part of its emergency guidance, National CERT directed organizations to remove FortiGate management interfaces from public internet exposure wherever possible.
It also instructed organizations to upgrade immediately to the latest supported FortiOS software versions to address known vulnerabilities and improve overall system security.
In addition, all administrator passwords should be reset, while multi-factor authentication (MFA) should be enabled for both administrative accounts and VPN users to strengthen identity protection.
National CERT further recommended restricting management access to trusted internal networks, conducting comprehensive reviews of firewall policies and administrator accounts, enabling enhanced security logging and continuously monitoring systems for suspicious or unauthorized activity.
Where indicators of compromise are detected, organizations have been advised to assume that attackers may already have established access to their networks.
In such cases, National CERT recommended rotating all administrative and service account credentials, thoroughly reviewing firewall and VPN logs, auditing Active Directory environments for evidence of lateral movement and rebuilding affected firewall devices if compromise cannot be confidently ruled out.
Critical Actions for Organizations
To assist organizations in prioritizing their response, the advisory classified exposure reduction, credential rotation, MFA implementation and threat-hunting activities as critical actions requiring immediate attention.
Meanwhile, configuration audits, Active Directory reviews, incident reporting and continuous security monitoring were categorized as high-priority measures that should be completed as part of an organization’s broader incident response process.
National CERT also urged organizations to report any suspected firewall compromise, unauthorized administrator access, VPN abuse or other malicious cyber activity through its official incident reporting channels without delay.
The advisory stressed that the current campaign should not be viewed as a routine software vulnerability requiring only standard patch management. Instead, organizations should assume the possibility of active compromise and conduct comprehensive investigations to determine whether attackers have already established a presence within their networks.
National CERT Calls for Immediate Action
The latest National CERT cybersecurity advisory highlights the growing cyber risks facing critical infrastructure worldwide and underscores the importance of proactive cybersecurity measures. With thousands of Fortinet devices compromised globally, Pakistani organizations are being urged to act immediately to secure their networks, protect sensitive data and minimize the risk of disruption to essential public and private sector services.