'FortiBleed': Credentials of 75,000 Fortinet firewalls compromised

      Security researchers have discovered a large collection of stolen credentials for Fortinet firewalls, revealing login information for tens of thousands of organizations globally. This dataset, referred to as “FortiBleed,” includes plaintext usernames, emails, and passwords for 73,932 unique Fortinet FortiGate firewall and VPN devices spanning 194 countries, affecting over 21,000 domains. Estimates suggest that this accounts for approximately half of all Fortinet firewalls currently exposed on the internet.

      The names listed in the data resemble a lineup of major global companies: Oracle, Chevron, Lenovo, FedEx, Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture, as well as a NATO defense contractor. According to Ars Technica, Fortinet itself appears within the dataset.

      In terms of methodology, FortiBleed is notable not for revealing a new security flaw in Fortinet’s software. Researchers indicate that attackers simply scanned the internet for Fortinet devices, tested a selected list of previously known passwords against each device, and recorded successful logins. Although lacking in innovation, the attack was extensive. The group targeted hundreds of thousands of login points, intercepted VPN authentication hashes, and deciphered them using a specialized 45-GPU cluster that conducted over a billion credential attempts. “The scale is the sophistication,” remarked researcher Bob Diachenko to Ars Technica.

      Once they gained access to a device, the attackers used it as a surveillance point, monitoring the traffic that passed through and collecting any new credentials that were transmitted. The firewall, designed to block intrusions, became a vantage point for observation.

      Diachenko, who discovered the data on the attackers’ own server, links the campaign to a Russian-speaking group. Security companies SOCRadar and Hudson Rock analyzed the dataset, and researcher Kevin Beaumont independently confirmed that the logins are genuine and up-to-date. The initial method through which the credentials were acquired, likely from exported FortiGate configuration files, remains unclear.

      It is crucial to note that exposed credentials do not equate to a fully compromised network. The leak indicates which vulnerabilities exist, but it does not confirm that every organization affected was breached. Nonetheless, the implications are not purely theoretical. Diachenko reports that at least four organizations were completely compromised, including a Turkish NATO defense contractor from which classified documents were taken.

      Fortinet contests this interpretation, stating that the data is “a resharing of information from prior incidents, along with credential bruteforcing,” and emphasizes that it is “not associated with any recent event or advisory.” Researchers counter that the affected devices are distinct from those involved in a known 2025 Fortinet leak and that many are operating on recent software, suggesting a contemporary breach.

      This incident is part of a broader trend. VPN and firewall appliances have become frequent targets, with groups like Qilin often exploiting corporate VPN systems for initial access.

      The remedy is also straightforward. Researchers advise Fortinet users to change FortiGate admin and VPN passwords, implement multi-factor authentication for all external access, restrict management interfaces to trusted IP ranges, scrutinize logs for unusual logins, and deactivate inactive accounts. If a single reused password can unlock the front door, no firewall will protect you.