A large-scale credential-theft campaign nicknamed "FortiBleed" has put working logins for internet-facing Fortinet firewalls and VPNs into criminal hands. If your business runs Fortinet at the perimeter, this one needs attention.
What happened
As reported by SecurityWeek, attackers have compiled a database of more than 86,000 valid credentials for internet-accessible Fortinet firewalls and VPNs — said to cover roughly half of the Fortinet devices reachable from the internet. Valid credentials for an edge device are about as serious as it gets: they can hand an attacker a direct route into the network, often bypassing other defences. This sits alongside the separate FortiSandbox vulnerabilities we flagged recently — a reminder that edge security devices are squarely in attackers' sights.
Why it matters to you
Firewalls and VPNs are the front door to your network. When their credentials leak, the usual signs of intrusion may never appear — the attacker simply logs in. Smaller organisations are just as exposed, because the same devices are widely used.
What to do now
- Rotate credentials on all Fortinet (and other edge) devices, and assume old passwords may be known.
- Enforce multi-factor authentication on VPN and firewall administration.
- Get management interfaces off the public internet — restrict admin access to trusted networks only.
- Patch firmware promptly and keep devices on supported versions.
- Review logs for unfamiliar logins or configuration changes.
If you'd like us to check whether your edge devices are exposed, we can run that review for you.
Worried about how any of this applies to your organisation? Get in touch and we'll talk it through — no jargon, no pressure.
Source: FortiBleed: 86,000 Fortinet Device Credentials Compromised — SecurityWeek