News Daily Nation Digital News & Media Platform

collapse
Home / Daily News Analysis / FortiBleed campaign exposes 75,000 Fortinet firewalls worldwide

FortiBleed campaign exposes 75,000 Fortinet firewalls worldwide

Jul 18, 2026  Twila Rosenbaum  4 views
FortiBleed campaign exposes 75,000 Fortinet firewalls worldwide

A massive credential-compromise campaign dubbed 'FortiBleed' has exposed tens of thousands of Fortinet devices worldwide, with researchers warning of persistent attacker access to affected enterprise environments. The campaign was first flagged by security researcher Volodymyr Diachenko, who posted on LinkedIn about finding an attacker-controlled list of potentially working FortiGate passwords collected through various means.

Further details came from SOCRadar after its team independently discovered an operational server belonging to an unnamed threat actor. This server contained a list of stolen FortiGate passwords, tools, automation infrastructure, a victim list, and telling information about who could be behind the attack. 'Attribution is ongoing, but the operational fingerprints are clear,' SOCRadar researchers said in a blog post, adding that the tooling and targeting choices are consistent with Russian-speaking threat actors.

According to independent analyses by SOCRadar, Hudson Rock, and security researcher Kevin Beaumont, the threat actors systematically collected configuration files from internet-facing Fortinet FortiGate firewalls and used them to recover working administrator credentials. The initial access vector is presently unknown. CEO of watchTowr Benjamin Harris said the campaign is consistent with what he has been seeing lately. 'The uncomfortable reality is that modern exploitation isn't always about immediate impact,' he said. 'It's about harvesting data that retains value long after the underlying vulnerability has been patched.'

Cracked passwords, global reach

While SOCRadar initially reported that the dataset contained working login credentials for over 30,791 devices, further analysis by Beaumont along with Hudson Rock placed the affected devices at 75,000, about 50% of the total internet-facing Fortinet firewalls found on Shodan. Researchers found affected devices across 194 countries, spanning more than 21,000 domains.

The dataset reportedly contains a mix of administrative and SSL VPN credentials recovered from compromised configuration files. Researchers said the operation is highly automated, allowing threat actors to collect, process, and crack credential material at a very large scale. SOCRadar found the top affected countries to be India, the US, and Mexico, with a little under 12,000 compromised credentials between them. A credential-type breakdown revealed organization-specific credentials to be most probed, indicating enterprise targeting.

Explaining the potential impact, Beaumont said the threat actors 'can log in remotely and gain remote access to the firewall — and so the network.' They can also change settings, including security controls, and make backdoor users, he added.

Old hashes, new problems

Additional investigation into the campaign highlighted why some Fortinet deployments proved easier to crack than others. Researchers noted that many affected systems stored administrator credentials using older hashing approaches that were significantly less resistant to offline password-cracking attacks than more recent implementations.

'Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism,' Arctic Wolf researchers explained in a blog post. 'However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade.' This could lead to many organizations continuing to store admin credentials using older SHA-256 with Salt hashing mechanisms, they noted.

Fortinet devices are widely used in enterprise networks for next-generation firewall, VPN, and security functions. The FortiGate product line is known for its robust feature set, but like any complex platform, it has faced numerous vulnerabilities over the years. The FortiBleed campaign capitalizes on the fact that many organizations fail to update their FortiOS promptly or to enforce strong password policies. The use of legacy hashing algorithms makes offline cracking trivial for attackers with GPU-accelerated tools.

Moreover, the campaign highlights a broader trend in cybercrime: the shift from immediate exploitation to long-term credential harvesting. By collecting configuration files over time from multiple vulnerabilities, threat actors accumulate a valuable database of credentials that can be used for espionage, ransomware, or resale on dark web markets.

Defenders told to assume credential exposure

Researchers urged organizations to assume that credentials contained in exposed FortiGate configuration files have been compromised and to immediately rotate affected administrative and VPN passwords. Additional recommendations include enforcing multi-factor authentication (MFA), restricting internet access to management interfaces, and reviewing devices for signs of unauthorized access.

Upgrading to supported FortiOS versions and replacing weaker or reused passwords was also advised. 'After upgrading FortiOS, require all administrators to log in to the firewall at least once: this will automatically set the encryption to PBKDF2,' the researchers said. Admin passwords can also be manually updated by using a super_admin account, they noted.

The scale of the FortiBleed campaign is alarming. With 75,000 devices potentially accessible, attackers have a vast network of entry points into critical infrastructure, financial services, government agencies, and large corporations. The geographic distribution shows that no region is immune, but developing nations with less mature cybersecurity postures are disproportionately affected. India's high number of compromised devices may reflect its rapidly expanding digital economy without commensurate security investment.

Beyond immediate remediation, organizations must consider the root causes that make such campaigns possible. The reliance on legacy hashing algorithms even after upgrades is a systemic issue. Administrators must be trained to log in after each firmware update to trigger the transition to PBKDF2. Additionally, configuration files should never be stored or transmitted in plain text. If backup configurations are exposed, even partially, they can be used to recover hashed passwords.

Fortinet has not publicly commented on the campaign at the time of writing, but the company historically releases patches for critical vulnerabilities. The onus is on customers to apply these patches and follow best practices. The FortiBleed campaign serves as a stark reminder that security is a continuous process—not a one-time setup. Attackers will always exploit the weakest link, whether it's unpatched software, weak passwords, or misconfigured access controls.

As the cybersecurity community continues to investigate the campaign, more details may emerge about the specific vulnerabilities exploited and the identity of the threat actor. However, the immediate takeaway is clear: assume compromise, rotate credentials, enforce MFA, and ensure hashing algorithms are up to date. The FortiBleed campaign will likely inspire copycat attacks, making proactive defense more important than ever.


Source: Network World News


Share:

Your experience on this site will be improved by allowing cookies Cookie Policy