A large-scale credential abuse campaign dubbed FortiBleed has reportedly affected tens of thousands of Fortinet firewall and VPN devices worldwide. Public reporting indicates that threat actors collected and validated Fortinet-related credentials, including administrator and VPN account details associated with FortiGate and Fortinet SSL VPN services.
Threat Overview
At this stage, FortiBleed is not confirmed to be a new Fortinet zero-day or CVE-driven exploitation campaign. Available evidence suggests the activity is primarily linked to credential harvesting, brute forcing, reused passwords, legacy exposure, and potentially credentials recovered from previously compromised Fortinet configuration data.
Reported exposed data includes device URLs, usernames, passwords, email addresses, organization names, sectors, and country-level victim metadata. Depending on account privileges, attackers may be able to authenticate to management interfaces, access VPN services, modify firewall policies, export configurations, create persistence, or use the appliance as an entry point for internal reconnaissance and lateral movement.
The risk is highest for organizations that expose Fortinet management interfaces to the internet, rely on local administrator accounts, do not enforce MFA, or reused credentials across environments.
Technical Context
FortiBleed should be treated as a credential compromise and perimeter access risk, not a traditional vulnerability event. Firmware updates remain important, but they do not invalidate stolen, cracked, reused, or previously exposed credentials.
A relevant factor is FortiOS administrator password storage. Fortinet has moved from SHA256-based password storage to PBKDF2 in newer FortiOS versions. However, upgraded devices may retain legacy SHA256-stored administrator password hashes until the relevant administrator logs in or resets their password. Organizations should ensure that all Fortinet administrator credentials are rotated after upgrading.
Affected Assets
Potentially affected assets include:
- FortiGate firewalls
- Fortinet SSL VPN services
- Internet-facing Fortinet management interfaces
- Local administrator accounts
- VPN user accounts
- Reused credentials associated with Fortinet infrastructure
Recommended Actions
Organizations using Fortinet appliances should take the following actions immediately:
- Rotate all Fortinet credentials
Reset all local administrator, VPN, service, and break-glass account passwords. - Enforce MFA
Require MFA for administrative access and VPN authentication. - Restrict management exposure
Remove Fortinet management interfaces from the public internet. Limit access to trusted IPs, internal networks, or dedicated management VPNs. - Review VPN activity
Hunt for successful logins from unusual geographies, hosting providers, VPN services, unknown ASNs, or abnormal login times.
Stay Safe. Stay Secure
OP Innovate Research Team
