SOCRadar researchers recently uncovered an active operation systematically compromising Fortinet firewalls and VPN gateways, which they've named "FortiBleed." This critical FortiBleed leak has exposed credentials for thousands of Fortinet VPN devices. As of their recent publication, this campaign remains ongoing, making the FortiBleed leak a pressing concern for cybersecurity professionals globally. For a detailed analysis, refer to the original SOCRadar report.
What Actually Happened with the FortiBleed Leak
SOCRadar researchers recently uncovered an active operation systematically compromising Fortinet firewalls and VPN gateways, which they've named "FortiBleed." As of their recent publication, this campaign remains ongoing.
A total of 30,791 Fortinet devices—firewalls and VPN gateways—were compromised. This spans 21,108 unique IPs and 8,316 unique domains across 194 countries. The attackers obtained verified, working usernames and passwords, confirming their validity using automated tools. SOCRadar rated this a critical incident, highlighting the severity of the FortiBleed leak.
This is a confirmed, active breach of confidentiality, with verified, working credentials for critical network infrastructure now in the hands of threat actors, a direct result of the FortiBleed leak.
How They Got In: It's Not a Zero-Day
When a large-scale breach occurs, the immediate assumption often points to a zero-day vulnerability. This incident, however, deviates, highlighting a flaw less in Fortinet's code and more in how some organizations manage their Fortinet deployments, making the FortiBleed leak a case study in foundational security failures.
The attack chain involved several key steps:
- Scanning for Exposure: Threat actors initiated automated scans across the internet for exposed Fortinet devices. This included FortiGate VPN and web management interfaces, often found on standard ports like 443, but also on non-standard ones such as 4443, 8443, and 10443.
- Credential Stuffing: Upon identifying exposed devices, attackers did not seek new exploits. Instead, they employed credential stuffing (MITRE ATT&CK T1110.004). They used curated lists of usernames and passwords from *earlier* Fortinet-related leaks, attempting them against newly discovered devices, a practice that underscores the persistent risk of reused credentials.
- Passive Monitoring: For compromised devices, attackers then passively monitored network traffic (MITRE ATT&CK T1040). This allowed them to collect additional credentials.
- Feedback Loop: This feedback loop scaled the operation significantly: newly collected credentials were fed directly back into their scanning tools. This created a self-sustaining cycle, enabling the compromise of even more devices.
The core vulnerability is not a Fortinet product flaw. It is the exploitation of credential-based attacks—brute-force and credential-stuffing—against internet-facing VPN and firewall services. Understanding this distinction is key to effective mitigation against future incidents like the FortiBleed leak.
Who's Getting Hit, and Why It Matters
The impact is extensive, affecting entities including banks, telecom operators, hospitals, universities, government agencies, energy companies, and multinational corporations. Telecom is the most heavily impacted sector by volume, with 5,616 credential entries. Government agencies recorded 591 entries across 111 domains. Notably, over 20% of all entries belong to enterprise organizations with revenues exceeding $1 billion.
Geographically, India and the United States account for nearly a third of all entries. India alone comprises over 60% of all government entries. Ukraine, Poland, and Taiwan also appear on the list, which analysts suggest aligns with the attribution to Russian-speaking threat actors and their observed targeting of NATO member countries.
Analysis of the most compromised usernames reveals a pattern: org-specific accounts top the list, followed by generic administrative and system accounts, indicating a reliance on default or easily guessable administrative accounts and inadequate management of system-level credentials.
An attacker with these verified credentials gains immediate access to your VPN or management interface. From there, they can initiate lateral movement, exfiltrate sensitive data, or establish persistence within the network, a direct consequence of the FortiBleed leak.
What We Do Now: Back to Basics
While Fortinet has not publicly commented on the FortiBleed leak, this situation does not call for waiting on a zero-day patch; it demands addressing foundational security practices that should have been implemented years ago.
Organizations must immediately assume their credentials for Fortinet VPN or web management interfaces are compromised. Rotation of every password for every account accessing these services is essential. These new credentials must be unique, complex, and ideally managed through an enterprise password manager, exceeding 16 characters in length. Furthermore, audit all generic and default system accounts. Disable any that are no longer needed, and for those that are, ensure they adhere to the same stringent password and MFA requirements to prevent further FortiBleed leak related compromises.
It is critical to enforce Multi-Factor Authentication (MFA) across all internet-facing VPNs and management interfaces. Without MFA, these services represent an open door, rendering credential stuffing attacks highly effective. MFA often serves as a critical defense, significantly mitigating the risk of total compromise in such incidents, and effectively mitigating MITRE ATT&CK T1110.004.
Furthermore, restrict direct internet exposure for your Fortinet firewall's web management interface. This interface must be protected from direct public internet access. Implement controls such as IP whitelisting, placing it behind a dedicated jump box, or isolating it within a hardened management network. Reducing this attack surface directly limits targets for automated scanners.
Finally, conduct thorough audits of your Fortinet device logs. Look for unusual login attempts, particularly from unfamiliar IP addresses, or successful logins by accounts that should be inactive. Pay close attention to activity that deviates from normal operational patterns, including privilege escalation attempts. Integrating these logs into a Security Information and Event Management (SIEM) system can automate detection of such anomalies, providing a more proactive defense.
Sophisticated, industrial-scale cyber espionage campaigns frequently exploit basic, well-understood weaknesses. The real challenge lies in consistently implementing these fundamental controls across diverse organizational environments. Failure to address these fundamental controls will continue to result in predictable, costly outcomes.
