Security Advisory: FortiBleed Campaign - Large-scale compromise of Fortinet devices

Researchers have recently disclosed a large-scale campaign, referred to as “FortiBleed,” involving the compromise and exposure of credentials associated with Fortinet FortiGate firewalls and SSL VPN devices across global environments.

Unlike traditional vulnerabilities, FortiBleed is not a single CVE or confirmed zero-day flaw. Instead, it represents an active credential exposure and exploitation campaign leveraging reused and potentially exposed credentials at scale.

The precise origin of the credentials used in this campaign has not been confirmed. However, the activity is consistent with large-scale credential reuse and harvesting techniques.

The campaign has been observed impacting tens of thousands of internet-facing Fortinet devices across more than 190 countries, affecting organisations across critical infrastructure, government, and enterprise sectors.

This activity highlights the risk of credential reuse, exposed management interfaces, and insufficient authentication controls, particularly on edge infrastructure such as VPN gateways.

 What the campaign Involves  

FortiBleed is characterised by a highly automated attack model, combining several techniques rather than relying on a single exploit.

Reported or observed activity associated with the campaign includes:

• Credential reuse and credential stuffing using large datasets of known or exposed credentials
• Mass internet scanning to identify exposed Fortinet devices
• Large-scale authentication attempts, including brute-force activity against VPN and administrative interfaces
• Possible interception or collection of authentication data from compromised systems
• Reuse of newly obtained credentials to potentially expand access

In many cases, the campaign appears to rely on valid credentials rather than exploiting a specific software flaw, making it more difficult to detect through traditional vulnerability management processes.

Scope and Impact

Public reporting indicates the following:

• Up to ~73,000 Fortinet firewall and VPN endpoints may be associated with exposed credentials
• Over 30,000 devices have verified working credentials in attacker datasets
• Activity spans 194 countries, affecting both public and private sector organisations

Affected systems include:

• FortiGate firewalls (primary target)
• SSL VPN interfaces exposed to the internet
• Administrative management portals for Fortinet devices

Successful compromise may allow attackers to:

• Gain persistent access to network edge devices
• Monitor and capture network traffic
• Harvest additional credentials
• Pivot into internal systems such as Active Directory environments

Important Clarification

It is important to note:

• In many cases, the campaign appears to rely on valid credentials rather than a single identified software flaw.
• Current analysis suggests the campaign involves extensive credential reuse, although the precise initial access methods may vary and are not fully confirmed.
• Some known Fortinet vulnerabilities may be used opportunistically, but they are not confirmed as the root cause of the campaign

Threat Activity

The campaign is reported to involve:

• Highly automated activity, potentially capable of processing large volumes of authentication attempts
• Continuous or repeated scanning and credential validation against exposed systems
• Reuse of compromised credentials, which may enable attackers to expand access over time

Some reporting suggests attribution to organised, financially motivated threat actors, though attribution remains under investigation.

What This Means for Organisations

FortiBleed demonstrates a shift toward:

• Credential-driven intrusion campaigns at scale
• Targeting of network perimeter devices rather than internal systems first
• Exploitation of identity-based weaknesses rather than primarily software flaws

Organisations may be at risk if they:

• Expose Fortinet management interfaces or VPN portals to the internet
• Reuse passwords across systems or fail to rotate credentials
• Do not enforce multi-factor authentication (MFA)
• Lack visibility into authentication activity on network edge devices

 Because valid credentials may be used, compromises may appear as legitimate activity, delaying detection.  

Recommended Mitigation Steps

1. Check if your organisation is impacted

Search your organisation’s domains, IP addresses, and known credentials using Hudson Rock’s Fortinet exposure checker (https://www.hudsonrock.com/fortinet) or other trusted external tools to determine whether they appear in publicly identified datasets associated with this campaign. Follow up on any matches with credential resets and log review.

2. Rotate Credentials Immediately

• Reset passwords for all Fortinet devices and administrative accounts
• Enforce strong password policies
• Avoid reuse of previously exposed credentials

3. Enforce Multi-Factor Authentication (MFA)

• Apply MFA to all VPN and administrative access
• Prioritize MFA on internet-facing services

4. Restrict Exposure of Management Interfaces

• Limit access to Fortinet administrative portals and SSL VPN endpoints
• Use IP allowlisting or VPN access restrictions
• Avoid direct exposure to the public internet where possible

5 Monitor Authentication Activity

• Review logs for:
  • Unusual login attempts
  • Repeated authentication failures
  • Logins from unexpected geographic locations
• Investigate any anomalous session behavior

6. Review for Indicators of Compromise

• Check for unauthorized accounts or configuration changes
• Monitor for unusual outbound traffic from Fortinet devices
• Validate integrity of system configurations

7. Apply Security Updates

While FortiBleed is not tied to a single vulnerability, ensure:

• All Fortinet systems are fully patched
• Known exploited vulnerabilities are remediated

Risk Summary

FortiBleed represents a high-impact, global credential-driven attack campaign rather than a traditional vulnerability-based incident.

Because it can rely on valid credentials and trusted access pathways, it can bypass many conventional security controls and remain undetected for extended periods.

Organisations should treat this activity as a priority risk to network perimeter security and take immediate action to validate whether exposed credentials or vulnerable access paths exist within their environment.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touch to find out how you can protect your organisation.