Pakistan’s National Computer Emergency Response Team or PKCERT has sounded the alarm over a sweeping global cyberattack, and the warning is unusually urgent. In a critical advisory, PKCERT told government institutions, banks, telecom operators, and energy companies to secure their Fortinet firewall and VPN systems at once. The trigger is a massive intrusion campaign that compromised nearly 74,000 internet-facing devices worldwide.
Security researchers found evidence of widespread compromise affecting roughly 73,932 Fortinet FortiGate firewall instances across 194 countries. That compromise exposed administrative credentials and opened the door to enterprise and critical infrastructure networks. So the threat reaches far beyond any single country or sector.
PKCERT was blunt about how serious this is. As the advisory put it:
The scale, sophistication and active exploitation observed require organizations utilizing Fortinet FortiGate infrastructure to immediately assess their exposure, implement remediation measures and conduct threat-hunting activities.
Crucially, the attack needs no user interaction and no authentication on exposed interfaces, which makes it especially dangerous.
Attackers exploited publicly accessible FortiGate management interfaces and legacy credential storage to seize administrative access. From there, they moved laterally, cracked VPN credentials, and planted persistent backdoors. So a single exposed device can become a doorway into an entire network.
To help organizations respond, the advisory laid out clear priorities. It classified the most urgent steps as follows:
| Action Type | Specific Steps | Priority |
|---|---|---|
| Exposure Reduction | Remove public management interface access | CRITICAL |
| Credential Rotation | Reset all administrator credentials | CRITICAL |
| MFA Enforcement | Enable MFA across administrative systems | CRITICAL |
| Threat Hunting | Review logs for unauthorized access | CRITICAL |
| Configuration Audit | Validate firewall and VPN settings | HIGH |
| Active Directory Review | Investigate lateral movement indicators | HIGH |
| Incident Reporting | Escalate confirmed compromises | HIGH |
| Continuous Monitoring | Enable enhanced detection controls | HIGH |
The PKCERT said organizations should treat this as a potential compromise rather than a routine patch, since credential theft and post-compromise activity have already been observed. Any suspected breach should be reported to PKCERT through its portal at pkcert.gov.pk or by email. For Pakistan’s banks, telecoms, and government bodies, the message is simple, since delay now could mean a breach later.
