CISA is urging organizations to review and harden Fortinet firewall and VPN environments after researchers reported that tens of thousands of Fortinet credentials were exposed in a large-scale compromise campaign.
The incident, referred to by some researchers as “FortiBleed,” appears to have affected organizations across government and private industry. Researchers say the exposed data includes more than 86,600 confirmed credentials from organizations in 194 countries.
According to SOCRadar researchers, the credential database was allegedly built through automated scanning, stolen configuration files, and offline password cracking using GPU resources. That combination makes the leak especially concerning because perimeter devices such as firewalls and VPN gateways often provide direct access into internal networks.
If attackers obtain valid credentials for these systems, they may be able to bypass normal security controls, access sensitive environments, create new accounts, alter configurations, or maintain persistence inside a network.
Security researcher Volodymyr “Bob” Diachenko first reported an exposed server containing the leaked credentials. Other researchers later reviewed the data and helped confirm the scale of the exposure.
Researchers have also warned of a possible geopolitical angle. A Russian-speaking threat actor has been linked to the activity, and some of the affected organizations reportedly have connections to NATO, including a Turkish defense contractor.
Fortinet has said it is working with government authorities to investigate the leak and has started notifying affected customers.
Recommended Actions
Organizations using Fortinet products should treat this as an urgent security review. CISA and Fortinet recommend:
- Terminate all active administrative and VPN sessions.
- Reset passwords for administrator and VPN accounts.
- Upgrade FortiGate appliances to the latest supported versions.
- Enable multifactor authentication for all administrator and VPN users.
- Review logs for unusual administrator activity.
- Check for unknown accounts, unexpected configuration changes, or suspicious VPN access.
- Confirm that exposed management interfaces are not publicly accessible unless absolutely required.
This incident is a reminder that firewalls and VPN appliances are high-value targets. These systems sit at the edge of the network, and when their credentials are compromised, attackers may not need to exploit a new vulnerability to get in. Strong passwords, MFA, timely patching, restricted management access, and continuous log monitoring remain essential controls.
0 Comments