The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to organizations using Fortinet FortiGate firewalls after a large-scale cyber campaign known as FortiBleed was found to have compromised 86,644 internet-facing FortiGate devices worldwide. According to recent reports, the operation is linked to Russian-speaking threat actors who have been systematically harvesting and abusing credentials from vulnerable Fortinet systems.
The campaign appears to focus primarily on stolen, cracked, and brute-forced credentials rather than a newly discovered Fortinet software vulnerability. Researchers found large databases containing usernames, email addresses, and passwords associated with tens of thousands of FortiGate firewalls and VPN gateways. Earlier disclosures referenced roughly 74,000 exposed devices, but the number of affected systems has since grown to more than 86,000.
Security researcher Volodymyr “Bob” Diachenko uncovered an exposed archive containing credentials tied to approximately 73,932 Fortinet firewall URLs across 194 countries. Investigations suggest attackers conducted more than a billion credential-guessing attempts against FortiGate VPN systems and harvested authentication data that could later be used to gain access to corporate networks.
According to SOCRadar data cited in reporting, generic administrator accounts and built-in Fortinet system accounts account for a significant share of the compromised credentials. The campaign has affected organizations across government, telecommunications, manufacturing, defense, and private-sector environments worldwide.
What CISA Is Advising
CISA is urging Fortinet customers to immediately:
- Terminate all active SSL VPN and administrative sessions.
- Reset all administrative and VPN passwords.
- Enable phishing-resistant multi-factor authentication (MFA).
- Review logs for signs of unauthorized access or lateral movement.
- Restrict management interfaces from being accessible over the public internet.
- Remove unauthorized accounts and verify administrator privileges.
- Use modern password protection methods such as PBKDF2 for credential storage.
Fortinet’s Response
Fortinet stated that the leaked credential data does not appear to result from a new breach of the company itself. The vendor says the dataset is likely a collection of credentials gathered from previous incidents combined with successful brute-force attacks against exposed devices. Fortinet emphasized that organizations following security best practices—such as regularly rotating passwords and enabling MFA—face reduced risk.
Potential Impact
Cybersecurity experts warn that successful compromise of FortiGate appliances can give attackers a foothold at the network edge, allowing them to:
- Maintain persistent access.
- Monitor network traffic.
- Steal additional credentials.
- Move laterally into internal systems such as Active Directory environments.
- Access sensitive corporate or government data.
The FortiBleed campaign is now considered one of the largest credential-exposure incidents involving Fortinet infrastructure, prompting heightened concern among defenders and government agencies worldwide.
