Hello All. A massive credential exposure campaign dubbed FortiBleed is impacting internet-facing Fortinet FortiGate firewalls and VPN gateways worldwide.
Current reporting suggests 73,000–86,000+ Fortinet devices may be affected across 194 countries, with attackers harvesting verified credentials for administrative and SSL VPN access.
Important clarification:
FortiBleed is not a new CVE or zero-day.
This appears to be a large-scale credential compromise campaign involving:
- Credential stuffing
- Password spraying
- Brute-force attacks
- Reused / previously leaked passwords
- Exploitation of older known Fortinet exposures
In other words, this is less about a brand-new vulnerability and more about a dangerous combination of:
- Weak password hygiene
- Internet-exposed management interfaces
- Missing MFA
- Poor credential rotation
For defenders, this reinforces a hard truth that the firewall is part of your attack surface – It’s not just a defensive tool—it’s also a high-value target.
Immediate actions, I recommend:
- Rotate all FortiGate admin and VPN credentials
- Enforce MFA on all remote access
- Disable internet-facing management where possible
- Review admin logins for anomalous IPs/geographies
- Check for unauthorized config changes
- Patch to latest FortiOS / review Fortinet PSIRT advisories
From an OT perspective, this matters even more.
Many industrial environments still rely on vendor VPN access, jump hosts, and perimeter firewalls to protect critical operations. A compromised edge device could become the initial access point into:
- Power utilities
- Manufacturing
- Water treatment
- Transportation
- Critical infrastructure
This is exactly why identity + access security is now just as important as patching.