We are seeing confirmed signs of a critical zero-day vulnerability affecting Fortinet FortiGate SSL VPN devices as of February 3, 2026. This security flaw, known as CVE-2026-21840, allows remote hackers to take full control of a business network without needing a username or password.

The Evidence

First, the vulnerability carries a CVSS score of 9.8 which marks it as a critical threat to business safety. According to the official Fortinet Security Advisory FG-IR-26-040, the bug involves a heap-based buffer overflow in the login process. Initially, security researchers at Mandiant discovered that advanced hacking groups were already using this flaw to break into government systems. Subsequently, the Cybersecurity and Infrastructure Security Agency (CISA) added this bug to its list of known exploited threats on February 4, 2026. Specifically, an attacker can trigger the flaw by sending a specially made web request to the VPN login page. Furthermore, independent testing by CrowdStrike confirms that the exploit works on most default settings without any help from a user inside the company.

Who Should Be Concerned

Most importantly, any organization using FortiOS versions 7.2.0 through 7.2.7 or 7.4.0 through 7.4.2 must act immediately to stop an attack. Moreover, healthcare providers and financial firms face the highest risk because they store valuable personal data that hackers want. In particular, Chief Information Security Officers and IT managers should lead the response to secure their company’s front door. Therefore, small and large businesses alike must check their hardware versions today to ensure they are not open to the internet.

Historical Context

Notably, this is the third major flaw found in VPN edge devices in the last twelve months. Similarly, this attack follows a pattern where hackers target the perimeter of a network to bypass all other security tools. In fact, security researchers note that targeting firewalls has increased by 200% since 2024. As a result, many threat groups now focus on these “edge” devices because they provide a direct path into a company’s private files and emails.

Detailed Impact Analysis

Currently, data from Shodan suggests that over 60,000 FortiGate devices are still open to the internet and remain unpatched. Once an attacker uses this flaw, they gain the same power as a network administrator to read every file on the system. Meanwhile, incident reports show that hackers are using this access to steal login data and plant ransomware. Consequently, a single successful attack can lead to the total loss of customer records and weeks of business downtime. Based on current evidence, the groups using this bug are moving very fast to steal data before companies have a chance to fix the hole.

Immediate Actions Required

Immediately, you must update your FortiGate software to version 7.2.8 or version 7.4.3 to close this dangerous gap. Specifically, IT teams should complete these updates within 24 hours to prevent a breach of sensitive company data. Next, you should check your system logs for any login attempts coming from strange countries over the last week. However, if you cannot apply the patch right away, you must disable the SSL VPN feature or limit access to trusted IP addresses only. Additionally, we recommend that you reset all administrator passwords once the patch is successfully installed. After you finish the update, use the ‘diagnose sys fortisguard-service status’ command to verify that your security services are running correctly.

Additional Resources

For complete technical details and a full list of fixed versions, please review the Fortinet Security Advisory. Additionally, you can find more guidance on protecting your edge devices at the CISA official website.

Get Expert Help

If your organization needs expert help with fixing this bug or checking for signs of a hack, DefendMyBusiness provides the tools you need. Our team specializes in rapid risk assessment and helping businesses build a strong defense against new threats. Schedule a free security consultation now to get expert guidance within 24 hours.