'FortiBleed': Credentials for 75,000 Fortinet firewalls compromised.

      Security researchers have discovered a large collection of stolen credentials for Fortinet firewalls, revealing login information for tens of thousands of organizations worldwide. The dataset, named "FortiBleed," includes plaintext usernames, emails, and passwords for 73,932 distinct Fortinet FortiGate firewall and VPN devices across 194 countries, impacting over 21,000 domains. Researchers estimate this amounts to approximately half of all Fortinet firewalls currently accessible on the internet.

      The names in the dataset resemble a roster of prominent global companies, such as Oracle, Chevron, Lenovo, FedEx, Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture, as well as a NATO defense contractor. According to Ars Technica, Fortinet itself is also listed among the compromised entities.

      The situation did not involve any groundbreaking zero-day vulnerabilities; instead, researchers noted that the attackers scanned the internet for Fortinet devices, employed a curated list of known and previously leaked passwords, and logged any successful logins.

      While lacking innovation, the scale of the attack was significant. The attackers targeted hundreds of thousands of login endpoints, captured VPN authentication hashes, and cracked them using a specialized 45-GPU cluster that executed over a billion credential attempts. Researcher Bob Diachenko remarked to Ars Technica, “The scale is the sophistication.”

      Once they gained access to a device, the attackers utilized it as a monitoring point, tracking the traffic and collecting any new credentials that passed through. Essentially, a firewall that was intended to prevent intrusions was used as a vantage point for observation.

      Diachenko, who located the data on the attackers' server, attributes the campaign to a Russian-speaking group. Security firms SOCRadar and Hudson Rock have analyzed the data, and researcher Kevin Beaumont has independently verified that the logins are legitimate and up-to-date. The method by which the credentials were initially acquired, likely from exported FortiGate configuration files, remains uncertain.

      It is crucial to note that exposed credentials do not equate to a fully compromised network; the leak reveals potential access points but does not confirm that every organization associated with them was breached.

      However, the potential damage is not merely theoretical. Diachenko reports that at least four organizations experienced complete breaches, including a Turkish NATO defense contractor from which classified documents were taken.

      Fortinet disputes the interpretation of the data, asserting that it is "a resharing of information from previous incidents, as well as the bruteforcing of credentials," and claims it is "not connected to any recent incident or advisory." Researchers counter that the affected devices differ from those involved in a known 2025 Fortinet leak and that many are running recent software, indicating a current compromise.

      The incident fits into a broader trend. VPN and firewall appliances have increasingly become targets for groups like Qilin, which have repeatedly exploited corporate VPN equipment for initial access.

      The solution is also straightforward. Researchers recommend that Fortinet users change FortiGate admin and VPN passwords, enforce multi-factor authentication for all external access, restrict management interfaces to trusted IP ranges, review access logs for suspicious activities, and eliminate inactive accounts. If a single reused password can unlock the door, no firewall will provide adequate protection.