The Fortinet FortiBleed incident highlights a recurring pattern in security compromises: they often stem from the slow accumulation of known issues, poor hygiene, and missed updates, rather than novel zero-days. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently urged Fortinet users to secure their devices.
This incident, however, transcends a typical credential dump. It represents a global compromise, impacting nearly 74,000 Fortinet firewall and VPN devices, with credentials actively circulating and being exploited by threat actors.
FortiBleed: How Persistent Security Gaps Led to the Compromise of 74,000 Fortinet Devices
Security researcher Volodymyr "Bob" Diachenko discovered an open server containing a massive trove of Fortinet VPN credentials. This included usernames, email addresses, and plaintext passwords for 73,932 unique firewall URLs. Kevin Beaumont and the Hudson Rock team quickly validated the data's legitimacy and scale. This represents approximately 50% of all internet-facing Fortinet firewall devices globally.
The leaked data extended beyond login details, also containing business intelligence such as company industry, revenue, and employee count. This compilation allows attackers to prioritize high-value targets and tailor subsequent exploitation attempts, leading to more focused and dangerous follow-up attacks.
The list of affected organizations includes Samsung, Mercedes-Benz, Foxconn, Chevron, Comcast, AT&T, and Toyota. Numerous government agencies and critical infrastructure operators in telecommunications, healthcare, financial services, and manufacturing are also impacted. The reach spans 21,632 unique domains across 194 countries.
The Leak: 74,000 Critical Access Credentials
While the compromise was primarily credential-driven rather than stemming from a new zero-day, this framing understates the underlying issues that made the credential compromise so effective. The incident represents a significant confidentiality breach, enabled by a series of systemic failures.
The attack chain appears to involve:
- Initial Access via Older Vulnerabilities or Exposed Interfaces: The "no new zero-day" claim is nuanced. Evidence suggests the exploitation of older vulnerabilities may have played a role. Many affected devices also had their FortiGate Management Interfaces directly exposed to the internet. This is a fundamental security misstep; an open management interface negates the strongest authentication.
- Credential Harvesting: Once initial access was gained, or configuration files were accessed, attackers harvested credentials. Threat actors linked to this operation conducted approximately 1.16 billion credential attempts against over 320,000 FortiGate targets, specifically intercepting SSL VPN authentication hashes.
- Weak Hashing and Cracking: This is a critical vulnerability. Many affected devices still stored passwords using SHA-256 with salt. While an improvement over plaintext, this is susceptible to brute-force cracking, especially from a stolen configuration file. The threat group reportedly used a 45-GPU cluster, managed through Hashtopolis, to crack these hashes.
- The PBKDF2 Catch: Fortinet transitioned to the stronger PBKDF2 hashing algorithm for credential storage in earlier firmware updates. However, this upgrade only applies if administrators logged in after applying the update. If a patch was applied without forcing re-authentication, older, weaker hashes might persist, remaining vulnerable. Many organizations overlook these post-patch steps, which can leave them vulnerable to future compromises.
This incident is not attributable to a single flaw. It results from a confluence of legacy vulnerabilities, exposed attack surfaces, and incomplete implementation of stronger security controls.
How the Attackers Got In
The practical impact of Fortinet FortiBleed is severe, with reports indicating full network compromises in various regions. There are also allegations of sensitive data exfiltration from affected entities.
Attackers with these credentials gain a direct path into critical networks. They can bypass VPNs, access administrative interfaces, and move laterally. The inclusion of organizational data in the leak suggests these attacks will be highly targeted, exploiting specific company structures and vulnerabilities.
The Real-World Impact
CISA's recommendations are clear and represent foundational security practices. Organizations must assume compromise and act decisively.
Immediate action is paramount. Organizations must terminate all SSL VPN and administrative sessions, then reset all associated passwords across affected infrastructure. The implementation of phishing-resistant multifactor authentication (MFA) across all administrative and VPN access points is critical; it provides a vital layer of defense against credential theft, even when passwords are compromised.
Administrators should also meticulously review logs for any signs of unauthorized access or lateral movement, particularly around the time the leak was discovered. Ensuring all administrative credentials are stored using the modern PBKDF2 hashing algorithm is crucial, and administrators must log in after firmware updates to trigger this hashing upgrade. Finally, restricting firewall management interfaces from public internet access—by placing them behind a dedicated management VPN or on an isolated network segment—is a fundamental security control. Any unauthorized accounts must be removed to reduce the attack surface.
Hudson Rock has released a free FortiBleed lookup tool, available at hudsonrock.com/fortinet. Fortinet FortiBleed customers should use this tool to assess their exposure.
Assigning sole blame, whether to Fortinet for vulnerabilities or to customers for security posture, oversimplifies the issue. Responsibility is shared, with vendors accountable for secure defaults and clear upgrade paths, and customers for implementing those controls and maintaining good hygiene. Given Fortinet's history of critical vulnerabilities—CISA tracks numerous Fortinet flaws exploited in the wild, many of which have been used in ransomware attacks—the need for customers to remain vigilant is particularly acute.
This incident underscores the critical importance of foundational security practices: patching, strong authentication, network segmentation, and credential hygiene. Neglecting these, particularly for internet-facing devices, inevitably leads to an unacceptable risk profile.
