Security researchers have identified a massive credential leak targeting Fortinet FortiGate firewalls. Known as FortiBleed, this active campaign exposes the administrator and Virtual Private Network (VPN) passwords of roughly 75,000 devices worldwide.
Threat actors are actively using these stolen credentials to bypass corporate security perimeters. Organizations must act immediately to detect internal intrusions and secure their network access.
Quick Facts: The FortiBleed Campaign
|
What Is The FortiBleed Campaign?
Security researchers have uncovered a massive and active threat campaign. This operation has exposed the valid admin passwords and Virtual Private Network (VPN) credentials for approximately 75,000 Fortinet FortiGate firewalls worldwide. This leak affects roughly 50% of all internet-facing Fortinet firewall devices. This scale makes it a critical threat for corporate networks.
How Did Attackers Steal the Fortinet Passwords?
According to Fortinet, no new vulnerability exists in their products. The attackers harvested verified credentials at an unprecedented volume using four primary techniques instead of exploiting a software flaw.
- Brute-force attacks: Attackers use automated scripts to rapidly guess thousands of common passwords until one works.
- Credential recycling: Threat actors take lists of passwords stolen from older breaches and test them against Fortinet systems.
- Infostealer malware: Malicious software silently copies saved passwords directly from employee devices.
- Offline hash-cracking: Attackers steal encrypted password files and use powerful computer networks to break the encryption without triggering corporate security alarms.
How Are Attackers Exploiting Fortinet FortiGate Firewalls?
Threat actors are actively using these stolen credentials to log in remotely. Once inside, attackers are changing security settings and creating backdoor admin accounts. They are also pivoting directly into internal Active Directory environments (the central databases controlling network permissions). This access allows them to move laterally across networks. Password complexity alone has provided no defense against this campaign.
Why Is The FortiBleed Compromise Unique?
We must be absolutely clear about the nature of this threat. This incident presents several critical realities.
The attacker may already be inside. These are not theoretical passwords. They are verified and working admin credentials. The breach may have already happened. Your immediate priority is detection and eviction instead of just prevention.
There is no patch. This cannot be solved by simply issuing an update ticket. It is a credential and process problem. The solution relies on people and operations rather than just software patching.
Password complexity did not protect you. Long and complex passwords of 25 or more characters appeared in the dataset in plaintext (readable format). They were stolen directly by infostealer malware rather than being cracked. This breaks a core assumption that many security programs rely on. A highly complex password stolen by an infostealer offers the exact same protection as a weak one.
What Steps Should Organizations Take To Secure Fortinet Devices?
Because your infrastructure may be exposed, we strongly recommend taking the following actions within the next 24 hours.
- Rotate credentials immediately: Change all VPN and administrative passwords on every FortiGate device in your environment.
- Enforce MFA: Ensure Multi-Factor Authentication (requiring a secondary proof of identity) is enabled on all Fortinet VPN and management interfaces.
- Disable public access: Disable all internet-facing management interfaces for your firewalls.
- Upgrade hashing: Upgrade to the latest FortiOS firmware and have all administrators log back in. This action triggers an upgrade in the credential storage from vulnerable SHA-256 hashes to the stronger PBKDF2 algorithm (a much more secure method for scrambling passwords).
- Automate log analysis: Deploy Lumu Defender to automatically ingest your gateway logs and network metadata. The platform continuously analyzes this data to detect unfamiliar IP addresses, unexpected successful logins, or anomalous authentication events in real-time.
- Monitor the network and attack surface: Implement continuous monitoring on your internal network. Look for any anomalous behavior. Deploy an external attack surface management tool like Lumu Discover to automatically map your internet-facing assets. Lumu Discover provides real-time insight into your external exposure, allowing you to identify compromised credentials, locate unpatched systems, and detect exposed management interfaces before threat actors can exploit them.
- Audit active directory and lateral movement: Review your internal Active Directory for any unauthorized users, new service accounts, or privilege escalation events. Lumu Defender monitors internal network traffic and detects the lateral movement that occurs when attackers use these compromised accounts.
Please treat this incident with the highest priority. Organizations must ensure that any persistent threats or hidden active implants are completely removed before simply resetting credentials. Lock down your access points, but prioritize full network visibility to ensure the attacker is truly gone.