CISA Urges Fortinet Customers to Harden Devices After FortiBleed Credential Exposure

CISA has urged organizations using Fortinet devices to harden their systems after reports of a large credential exposure campaign known as FortiBleed. The agency said the activity involves leaked credentials associated with approximately 74,000 Fortinet devices, according to its Fortinet security alert.

The warning focuses on FortiGate firewalls and SSL VPN gateways exposed to the public internet. If attackers have valid credentials, they can bypass many traditional perimeter controls without exploiting a new software bug.

The campaign highlights a major weakness in edge security: stolen passwords remain dangerous long after a device receives patches. CISA is telling organizations to reset credentials, terminate active sessions, review logs, and restrict access to Fortinet management interfaces.

FortiBleed exposed credentials at global scale

Security researchers have described FortiBleed as a large-scale credential compromise campaign affecting internet-facing Fortinet infrastructure. SOCRadar said its updated dataset includes 86,644 confirmed working credentials across 194 countries, although the count has changed as researchers continue to track the campaign.

Arctic Wolf reported that attackers extracted configuration files from internet-facing FortiGate devices and cracked stored credential hashes, resulting in verified administrator credentials for tens of thousands of devices.

The activity does not appear to rely on one newly disclosed Fortinet CVE. Instead, researchers describe a credential-focused campaign that combines exposed devices, older leaked credentials, configuration access, and weak or outdated password storage.

Item	Details
Campaign name	FortiBleed
Affected products	Fortinet FortiGate firewalls and SSL VPN gateways
CISA-reported exposure	Approximately 74,000 Fortinet devices
SOCRadar updated count	86,644 confirmed working credentials across 194 countries
Main risk	Unauthorized access using valid credentials
Primary defensive action	Reset credentials, enforce MFA, restrict management access, and review logs

Why leaked Fortinet credentials are dangerous

FortiGate appliances often sit at the edge of enterprise networks. They handle VPN access, firewall rules, administrative access, and routing between trusted and untrusted environments.

If attackers gain valid administrator or VPN credentials, they may not need malware at first. They can log in like a normal user, inspect configuration data, create persistence, move laterally, or prepare follow-on attacks.

That makes FortiBleed especially serious for organizations that keep management interfaces exposed to the internet or rely on passwords without phishing-resistant multi-factor authentication.

Password hashing is part of the FortiBleed concern

Fortinet introduced PBKDF2-based administrator password hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1. A Fortinet technical note says older versions used SHA256 for administrator password storage.

The upgrade process matters. Fortinet says administrator passwords from older firmware remain stored as SHA256 hashes until each matching administrator logs in successfully after the upgrade.

That means an organization may run a newer FortiOS version but still have some older SHA256 password hashes stored in the configuration. Administrators need to verify that every admin account has moved to PBKDF2.

• FortiOS 7.2.11, 7.4.8, and 7.6.1 introduced PBKDF2 for administrator passwords.
• Older administrator password hashes may remain until the administrator logs in after upgrade.
• Admins can update remaining accounts manually to enforce PBKDF2 storage.
• Exposed configuration data can become more dangerous when weak or older hashes remain present.
• Credential rotation remains necessary even after firmware updates.

CISA says organizations should act now

The CISA advisory recommends immediate defensive steps for organizations that use affected Fortinet devices. The agency specifically calls for terminating active VPN sessions, resetting credentials, enabling MFA, and reviewing logs for suspicious activity.

Administrators should also remove unauthorized or unnecessary accounts. If attackers created a backdoor admin account, a password reset alone will not remove their access.

Log review should include FortiGate administrator activity, SSL VPN access records, firewall events, domain controller logs, and authentication events from identity providers. Suspicious logins from unusual countries, new accounts, unexpected configuration changes, and repeated failed logins deserve priority review.

Management interfaces should not face the internet

Fortinet’s system administrator best practices recommend secure administrator access, trusted hosts, limited access methods, and strong account controls. Those controls reduce the chance that stolen credentials will turn into full device compromise.

Organizations should restrict Fortinet administration to trusted internal networks, VPN-protected management networks, or dedicated jump hosts. Publicly exposed admin panels give attackers a direct place to test stolen passwords.

Security teams should also check whether external scans can reach management ports. Reducing exposure often prevents credential attacks before they reach the login screen.

Action	Why it matters
Reset Fortinet admin and VPN passwords	Stops attackers from reusing leaked or cracked credentials
Terminate active SSL VPN and admin sessions	Removes sessions that may already be authenticated
Enable phishing-resistant MFA	Reduces the value of exposed passwords
Restrict admin interfaces	Prevents internet-wide credential testing against management portals
Review logs and configuration changes	Finds signs of unauthorized access, persistence, or lateral movement
Verify PBKDF2 password storage	Ensures administrator hashes use Fortinet’s newer password protection

SOCRadar and Arctic Wolf describe an active campaign

SOCRadar’s FortiBleed report says attackers built a verified database of working credentials from internet-facing Fortinet devices. It also says the attackers used automation to scan, validate credentials, and organize victim data by country and other attributes.

Arctic Wolf’s analysis warned that many organizations may still have older administrator password hashes in FortiGate configuration files, even after upgrading firmware, unless each administrator logged in or had their password changed after the upgrade.

That point is important for incident response. A device may look patched but still require credential cleanup, account review, and configuration validation.

How administrators can verify stronger password storage

The Fortinet PBKDF2 guidance says PBKDF2-hashed administrator passwords show a PB2 prefix, while older SHA256 hashes show an SH2 prefix. Administrators should review local admin accounts and update any account that still uses the older format.

Fortinet’s administrator hardening guidance also supports a broader cleanup: limit trusted hosts, use secure protocols, reduce unnecessary access methods, and follow least-privilege principles for administrative accounts.

For large environments, these checks should happen across every Fortinet appliance, not only the most visible VPN gateways. Attackers often target neglected edge devices because they lag behind central patching and monitoring processes.

1. Identify every Fortinet device exposed to the internet.
2. Terminate active SSL VPN and administrator sessions.
3. Reset all local administrator, VPN, LDAP, and related service credentials.
4. Enable MFA on all remote access and administrative logins.
5. Check administrator password hashes and enforce PBKDF2 where supported.
6. Remove unused, unknown, or unauthorized accounts.
7. Restrict administrative access to trusted hosts or internal management networks.
8. Review logs for unusual logins, new users, and configuration changes.
9. Patch FortiOS and related Fortinet products to supported fixed versions.
10. Monitor for lateral movement from VPN-connected systems.

FortiBleed is a reminder that credentials are perimeter risk

FortiBleed shows that network edge devices remain a high-value target for attackers. A firewall or VPN gateway can become an entry point when credentials leak, password hashes remain weak, or management interfaces stay exposed.

Organizations should not treat Fortinet hardening as a one-time password reset. They should combine credential rotation, MFA, configuration review, patching, log analysis, and external attack surface reduction.

The most urgent step is to assume exposed credentials may still work until proven otherwise. For Fortinet customers, that means rotating passwords, closing unnecessary public access, and validating every administrator account before attackers use the same credentials again.

FAQ