FortiBleed Credential Campaign Puts Fortinet FortiGate Devices on Alert

Fortinet customers are being urged to reset credentials, enable multi-factor authentication, and review exposed FortiGate devices after reports of a large credential-harvesting campaign known as FortiBleed.

The campaign targets Fortinet firewalls and VPN gateways, but Fortinet says it is not tied to a new vulnerability. In its Fortinet analysis, the company said attackers appear to be reusing credentials from previous incidents and combining them with brute-force attempts against devices with weak password practices and no MFA.

The warning has also drawn attention from government security agencies. The CISA hardening alert urges organizations to secure internet-accessible Fortinet devices, while the UK NCSC warning tells organizations using Fortinet firewalls and VPN gateways to investigate possible compromise and follow mitigation steps.

FortiBleed Is a Credential Attack, Not a New Zero-Day

FortiBleed is dangerous because perimeter security devices hold privileged access to corporate networks. If attackers obtain working administrator or VPN credentials, they may be able to log in without exploiting a new software flaw.

Reuters reported that researchers found signs of password theft involving organizations in more than 15 countries. Fortinet said the activity relies on data from previous incidents and repeated password-guessing attempts, rather than a recent advisory.

Security firms have reported different numbers for the campaign’s scale. Arctic Wolf said researchers identified verified working administrator credentials for between 30,000 and 75,000 devices across 194 countries. SecurityWeek reported a higher figure of 86,644 confirmed working credentials.

What Attackers Can Do With FortiGate Credentials

A valid FortiGate login can give attackers access to sensitive firewall and VPN controls. That can include configuration data, VPN settings, firewall rules, local users, and security policies.

Fortinet says organizations should look for unauthorized changes, including unrecognized accounts. Examples listed in the Fortinet guidance include usernames such as “forticloud,” “fortiuser,” “fortinet-support,” and “fortinet-tech-support.”

The risk can increase in environments where FortiGate devices connect to Active Directory or LDAP. If attackers use the firewall or VPN gateway as a foothold, they may try to reach internal identity systems, create persistence, or move further into the network.

Area	Risk	What admins should check
Admin accounts	Unauthorized users may gain control of the device	Review all local admins and remove unknown accounts
VPN users	Attackers may access internal services remotely	Reset VPN passwords and enforce MFA
Firewall policies	Rules may be changed to allow persistence or lateral movement	Compare current settings with a known-good backup
Directory integration	AD or LDAP accounts may face additional abuse	Review domain controller logs for unusual authentication

CISA and NCSC Urge Immediate Hardening

The CISA alert recommends terminating active sessions, resetting passwords, using phishing-resistant MFA, checking logs, and reducing public exposure of management interfaces.

The NCSC advice also says organizations should investigate suspicious activity, check FortiBleed asset tools where appropriate, isolate compromised devices, and consider a factory reset if attackers may have gained persistence.

These steps matter because changing a password alone may not be enough if a device has already been modified. Admins should preserve useful logs and configuration evidence before wiping or rebuilding any device suspected of compromise.

Recommended FortiBleed Remediation Steps

Organizations with FortiGate firewalls or VPN gateways exposed to the internet should act quickly, even if they have not received a direct compromise notice. The safest approach is to assume exposed credentials may have been tested and to rotate them before attackers can reuse them.

• Terminate all active administrator and VPN sessions.
• Reset Fortinet VPN, administrator, API, local admin, and service-account credentials.
• Enable MFA for every administrator and VPN user account.
• Upgrade FortiOS to the latest supported versions in the 7.4, 7.6, or 8.0 branches.
• Use PBKDF2-based administrator credential storage where supported.
• Remove legacy password settings with set login-lockout-upon-weaker-encryption where applicable.
• Review logs for unknown administrative access, unusual IP addresses, and unexpected password resets.
• Audit firewall policies, VPN users, local users, and configuration changes against a known-good baseline.
• Restrict management access to trusted hosts or internal networks.
• Remove public internet access to management interfaces wherever possible.

Reported Scale of the FortiBleed Campaign

The exact scale remains difficult to pin down because different researchers have reported different datasets and validation methods. However, the public reporting points to a large campaign involving exposed Fortinet firewall and VPN credentials across many countries.

Source	Reported detail	Why it matters
Reuters	Researchers cited around 75,000 Fortinet firewall and VPN devices	Shows the campaign may affect major organizations and public-sector networks
Arctic Wolf Labs	Between 30,000 and 75,000 devices across 194 countries	Highlights the global reach of the reported credential compromise
SecurityWeek	86,644 confirmed working credentials reported by SOCRadar	Shows why admins should not wait for a direct victim notice before acting

Why MFA and Password Rotation Are Critical

FortiBleed shows how old credentials can remain dangerous long after an initial incident. If organizations patched earlier vulnerabilities but did not reset passwords, exposed credentials may still work.

Strong password policies help, but MFA is now essential for administrator and VPN accounts. MFA can reduce the value of stolen or guessed passwords, especially on systems that sit directly on the internet.

Security teams should also review whether administrators reuse passwords across edge devices, internal systems, and directory services. Shared credentials can turn a firewall compromise into a wider network incident.

What Organizations Should Do Next

Any organization using FortiGate firewalls or Fortinet VPN gateways should review its exposure immediately. Internet-facing management access should be removed or tightly restricted, and every administrator and VPN account should go through credential rotation.

If logs show unknown administrator access, unauthorized accounts, unexpected VPN users, or unexplained configuration changes, teams should treat the device as compromised. In those cases, a full incident response process may be required, including device isolation, forensic review, credential resets, and monitoring for lateral movement.

FortiBleed is a reminder that perimeter appliances require the same identity controls as cloud services and internal systems. Patching matters, but it does not replace MFA, password rotation, least-privilege access, and regular configuration auditing.

FAQ