FortiBleed Exposes Fortinet Firewall Credentials in Global Credential Attack
6 min. read 
Published on
A large credential-harvesting campaign known as FortiBleed has exposed login data for tens of thousands of Fortinet FortiGate firewalls and VPN gateways worldwide.
The incident does not currently appear to involve a new Fortinet zero-day. Researchers say attackers relied on exposed devices, old or reused passwords, brute-force activity, and credentials gathered from previous incidents. Fortinet told Reuters that the activity is not related to any recent incident or advisory.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The scale remains serious. A Hudson Rock analysis says the dataset includes 73,932 unique firewall URLs across 194 countries and 21,632 unique domains. A separate SOCRadar report puts the number of compromised devices at 86,644.
FortiBleed Targets Exposed Fortinet Firewalls and VPN Gateways
FortiBleed appears to center on credential access rather than a single software flaw. Attackers scan the internet for exposed Fortinet devices, test large sets of known or leaked passwords, and record successful logins for later use.
Security researcher Bob Diachenko first drew attention to the exposed data after finding an open server that contained what appeared to be Fortinet VPN credentials. The files reportedly included usernames, email addresses, plaintext passwords, organization details, and attacker tooling.
Independent researcher Kevin Beaumont reviewed portions of the data with Hudson Rock and said in a DoublePulsar analysis that the dataset looked legitimate, recent, and tied to Fortinet devices that remain online.
| Reported figure | Source | What it describes |
|---|---|---|
| 73,932 | Hudson Rock | Unique Fortinet firewall URLs listed in the dataset |
| 21,632 | Hudson Rock | Unique domains tied to exposed Fortinet credentials |
| 86,644 | SOCRadar | Compromised Fortinet firewall and VPN devices reported in its analysis |
| 194 | Multiple researchers | Countries represented in the exposed data |
How the FortiBleed Attack Works
The attackers appear to use automation at scale. According to the SOCRadar findings, the operators scan exposed Fortinet services, try curated password lists, and add verified logins to their database.
Once attackers gain access to a firewall or VPN gateway, they can monitor traffic, collect more credentials, and use the device as a path into the internal network. This creates a feedback loop where one compromised device can help attackers find more passwords and compromise more systems.
The campaign also shows why password complexity alone does not solve the problem. A long password offers little protection if attackers already have it from an old breach, a leaked configuration, an infostealer infection, or a previously compromised system.
Fortinet Says This Is Not a New Advisory
Fortinet has described the activity as a third-party credential-harvesting campaign targeting its firewalls and VPN gateways. In a statement reported by Reuters, the company said attackers used data from previous incidents and brute-forced credentials.
That distinction matters for defenders. Patching remains essential, but it may not remove the immediate risk if attackers already have valid credentials or if administrative access remains exposed to the public internet.
The Hudson Rock data also lists organizations across technology, telecommunications, government, manufacturing, finance, healthcare, education, and critical infrastructure. Some named companies have not publicly confirmed exposure, so organizations should check their own environments rather than relying only on public lists.
Why Exposed Management Interfaces Increase the Risk
Internet-facing firewall administration panels give attackers a larger attack surface. If a FortiGate management interface accepts logins from anywhere, a stolen or guessed password can become enough to access the device.
Fortinet’s own system administrator best practices recommend disabling administrative access on the external internet-facing interface when possible. The same guidance says administrators should use HTTPS and SSH only, restrict logins to trusted hosts, and enable two-factor authentication.
Beaumont also noted in his review of the dataset that many impacted devices expose the FortiGate management interface directly to the internet. That makes credential rotation urgent, especially for organizations that have not changed firewall admin passwords after earlier Fortinet incidents.
What Organizations Should Do Now
Any organization using Fortinet FortiGate firewalls, SSL VPN, or exposed management interfaces should treat FortiBleed as an active credential risk. Waiting for a patch will not help if the main problem is a valid username and password already in attacker hands.
- Rotate all Fortinet administrator and VPN passwords immediately.
- Enable multi-factor authentication for every admin and remote-access account.
- Review FortiGate login logs for successful access from unusual IP addresses or countries.
- Check for new administrator accounts, altered firewall rules, changed VPN settings, and suspicious configuration changes.
- Remove public access to management interfaces wherever possible.
- Restrict administrative access to trusted IP addresses or internal management networks.
- Upgrade FortiOS to supported versions and ensure administrators log in after upgrade so password storage changes apply where relevant.
- Search for compromised employee credentials tied to the same domains and usernames.
Organizations that appear in the dataset should also consider incident response steps. Attackers with firewall access may have changed routes, added backdoor users, modified security policies, or used the device to access internal systems.
FortiBleed Is a Credential Problem With Network-Wide Impact
FortiBleed shows how credential reuse and exposed management interfaces can turn a firewall into an entry point. The device may run a recent firmware version, but an attacker can still get in if the admin password works and the login page faces the internet.
The safest response is to assume exposed Fortinet credentials may already be known to attackers. Security teams should rotate credentials, enforce MFA, review logs, restrict access, and follow Fortinet hardening guidance before attackers turn stolen credentials into deeper network access.
FAQ
FortiBleed is the name being used for a large credential-harvesting campaign involving Fortinet FortiGate firewalls and VPN gateways. Researchers say attackers collected or verified working credentials for tens of thousands of exposed devices across many countries.
Current reports do not point to a confirmed new Fortinet zero-day. Fortinet says the activity involves credential harvesting, data from previous incidents, and brute forcing, and is not related to a recent incident or advisory.
The exact number varies by source. Hudson Rock reported 73,932 unique Fortinet firewall URLs, while SOCRadar reported 86,644 compromised devices. Both reports describe a global campaign affecting organizations across 194 countries.
Fortinet customers should rotate all VPN and administrator passwords, enable multi-factor authentication, review login logs, restrict management interfaces to trusted IP addresses, check for unauthorized configuration changes, and upgrade FortiOS to supported versions.
Strong passwords help only if attackers do not already have them. In this campaign, researchers say attackers used leaked or previously exposed credentials, brute forcing, and verified login databases. MFA and restricted administrative access reduce the risk even when a password is exposed.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages