A massive credential-compromise campaign dubbed “FortiBleed” has been discovered, exposing tens of thousands of Fortinet FortiGate firewalls worldwide. Security researchers warn that attackers have persistent access to affected enterprise environments, potentially enabling them to pivot into internal networks, alter security settings, and create backdoor accounts.
The campaign was first flagged by security researcher Volodymyr Diachenko, who posted on LinkedIn about finding an attacker-controlled list of potentially working FortiGate passwords collected through various means. Further details emerged from SOCRadar, which independently discovered an operational server belonging to an unnamed threat actor. This server contained a list of stolen FortiGate passwords, tools, automation infrastructure, a victim list, and some telling information about who could be behind the attack.
“Attribution is ongoing, but the operational fingerprints are clear,” SOCRadar researchers said, adding that the tooling and targeting choices are consistent with Russian-speaking threat actors. According to independent analyses by SOCRadar, Hudson Rock, and security researcher Kevin Beaumont, the threat actors systematically collected configuration files from internet-facing Fortinet FortiGate firewalls and used them to recover working administrator credentials. The initial access vector is presently unknown, but it is suspected to involve exploitation of known vulnerabilities in Fortinet appliances over time.
CEO of watchTowr, Benjamin Harris, noted that the campaign aligns with recent trends. “The uncomfortable reality is that modern exploitation isn’t always about immediate impact. It’s about harvesting data that retains value long after the underlying vulnerability has been patched.” These credentials were likely accumulated over time by exploiting many vulnerabilities affecting sensitive, externally facing Fortinet applications, he added.
Fortinet did not immediately respond to requests for comment.
Cracked passwords, global reach
While SOCRadar initially reported that the dataset contained working login credentials for over 30,791 devices, further analysis by Beaumont and Hudson Rock placed the affected devices at 75,000—about 50% of the total internet-facing Fortinet firewalls found on Shodan. Researchers found affected devices across 194 countries, spanning more than 21,000 domains.
The dataset reportedly contains a mix of administrative and SSL VPN credentials recovered from compromised configuration files. Researchers said the operation is highly automated, allowing threat actors to collect, process, and crack credential material at a very large scale. SOCRadar found the top affected countries to be India, the United States, and Mexico, with a little under 12,000 compromised credentials between them. A credential-type breakdown revealed organization-specific credentials were most probed, indicating enterprise targeting.
Explaining the potential impact, Beaumont said the threat actors “can log in remotely and gain remote access to the firewall—and so the network.” They can also change settings, including security controls, and make backdoor users, he added. This level of access could lead to data exfiltration, ransomware deployment, or lateral movement within organizations.
Old hashes, new problems
Additional investigation into the campaign highlighted why some Fortinet deployments proved easier to crack than others. Researchers noted that many affected systems stored administrator credentials using older hashing approaches that were significantly less resistant to offline password-cracking attacks than more recent implementations.
“Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism,” Arctic Wolf researchers explained. “However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade.” This could be leading to many organizations continuing to store admin credentials using older SHA-256 with salt hashing mechanisms, making them vulnerable to offline cracking attacks.
The use of PBKDF2 significantly increases the computational effort required to crack passwords, but if organizations upgrade FortiOS without requiring administrators to log in, the old hashes persist. Threat actors can then extract these hashes from configuration files and use GPU-based clusters or cloud computing to crack them. Given that many organizations reuse passwords across systems, a single cracked FortiGate credential could expose other sensitive assets.
Defenders told to assume credential exposure
Researchers urged organizations to assume that credentials contained in exposed FortiGate configuration files have been compromised and to immediately rotate affected administrative and VPN passwords. Additional recommendations include enforcing multi-factor authentication (MFA), restricting internet access to management interfaces, and reviewing devices for signs of unauthorized access.
Upgrading to supported FortiOS versions and replacing weaker or reused passwords was also advised. “After upgrading FortiOS, require all administrators to log in to the firewall at least once: this will automatically set the encryption to PBKDF2,” the researchers said. Admin passwords can also be manually updated by using a super_admin account, they noted.
Organizations should also monitor for unusual login patterns, such as attempts from unfamiliar IP addresses or at odd hours, and check for the presence of unauthorized admin accounts. Network segmentation should be reviewed to limit the blast radius if a firewall is compromised. Incident response teams should be prepared to contain and eradicate any foothold attackers may have established.
The FortiBleed campaign serves as a stark reminder that credential harvesting remains a favored tactic among threat actors, especially when combined with large-scale automation. As organizations continue to rely on Fortinet devices for network security, the importance of proper credential hygiene, timely patching, and adoption of modern hashing algorithms cannot be overstated. The attack also underscores the value of monitoring external-facing assets and assuming that configuration files, if exposed, will be exploited.
Given the scale of this campaign—affecting half of all internet-exposed Fortinet firewalls—the global impact is significant. Enterprises in critical sectors such as finance, healthcare, and government are particularly at risk. Security teams should treat this as a zero-trust trigger and validate that no unauthorized access has occurred. Regular audits of firewall configurations and password policies are essential, as is the immediate application of security updates from Fortinet.
Source: Network World News