A massive credential-compromise campaign dubbed 'FortiBleed' has been found to expose tens of thousands of Fortinet devices worldwide, with researchers warning of persistent attacker access to affected enterprise environments. The campaign was first flagged by security researchers after discovering an attacker-controlled list of potentially working FortiGate passwords collected through various means.
Further analysis from multiple security firms revealed that an operational server belonging to an unnamed threat actor contained a comprehensive database of stolen FortiGate passwords, automation tools, infrastructure details, and victim lists. Attribution remains ongoing, but the operational fingerprints point toward Russian-speaking threat actors based on their tooling and targeting choices.
The threat actors systematically collected configuration files from internet-facing Fortinet FortiGate firewalls and used them to recover working administrator credentials. These credentials were likely accumulated over time by exploiting many vulnerabilities affecting sensitive, externally facing Fortinet applications. The initial access vector for the campaign is presently unknown, but researchers believe the attackers leveraged weaponized exploits against known vulnerabilities, including historical flaws in FortiGate SSL VPN and management interfaces.
Global Reach and Scope
While initial reports suggested the dataset contained working login credentials for over 30,791 devices, further independent analyses placed the affected devices at approximately 75,000—representing nearly 50% of all internet-facing Fortinet firewalls identified on Shodan, a search engine for internet-connected devices. The scale of this campaign underscores the magnitude of the threat facing organizations worldwide.
Researchers found affected devices spread across 194 countries, spanning more than 21,000 unique domains. The dataset reportedly contains a mix of administrative and SSL VPN credentials recovered from compromised configuration files. The operation is highly automated, allowing threat actors to collect, process, and crack credential material at an industrial scale. The top affected countries are India, the United States, and Mexico, with just under 12,000 compromised credentials between them. A credential-type breakdown revealed organization-specific credentials to be the most probed, indicating deliberate enterprise targeting.
Explaining the potential impact, security experts said that threat actors who obtain these credentials can log in remotely and gain full access to the firewall and, by extension, the entire network. They can modify security settings, create backdoor users, and pivot into internal systems. This level of access essentially hands over the keys to the kingdom, potentially exposing sensitive corporate data, intellectual property, and customer information.
Technical Roots: Old Hashes, New Problems
Additional investigation into the campaign highlighted why some Fortinet deployments proved easier to crack than others. Researchers noted that many affected systems stored administrator credentials using older hashing approaches that were significantly less resistant to offline password-cracking attacks than more recent implementations.
Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS versions 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism. However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade. This transition gap means many organizations continue to store admin credentials using the older, more vulnerable SHA-256 with salt hashing mechanism, making them susceptible to brute-force or dictionary attacks once an attacker obtains the configuration file.
The use of PBKDF2 introduces a key derivation function that significantly increases the computational effort required to crack each password, deterring attackers who rely on high-speed password guessing. Despite Fortinet's recommendation to enable the stronger hashing, many administrators have not logged in after upgrading, leaving their old hashes exposed.
Defenders Told to Assume Credential Exposure
Security researchers urge organizations to assume that any credentials contained in exposed FortiGate configuration files have been compromised and to immediately rotate affected administrative and VPN passwords. Delaying response only increases the window of opportunity for attackers to exploit the stolen credentials for lateral movement or data exfiltration.
Additional recommendations include enforcing multi-factor authentication (MFA) on all firewall management and VPN access, restricting internet access to management interfaces, and reviewing devices for signs of unauthorized access. Organizations should also ensure that outdated or unused administrator accounts are removed, and that password policies mandate complex credentials that are changed regularly.
Upgrading to supported FortiOS versions and replacing weaker or reused passwords is also critical. After upgrading FortiOS, organizations should require all administrators to log in to the firewall at least once, which automatically triggers the conversion of password storage to PBKDF2. Alternatively, admin passwords can be manually updated using a super_admin account, ensuring that newly set passwords benefit from the stronger hashing from the start.
The campaign highlights the persistent value of harvested credentials. As one security CEO noted, the uncomfortable reality is that modern exploitation isn't always about immediate impact; it's about harvesting data that retains value long after the underlying vulnerability has been patched. The FortiBleed campaign exemplifies this threat intelligence challenge, where credentials harvested years ago can still be used effectively today.
Fortinet has not publicly responded to questions about the campaign at the time of writing, but the industry-wide response has been swift, with advisory alerts issued by multiple cybersecurity organizations. The broader lesson for enterprises is that network security devices themselves must be treated as critical assets, subject to the same rigorous patch management, credential hygiene, and monitoring as any other system on the network. The FortiBleed incident serves as a stark reminder that the perimeter is only as strong as the credentials that protect it.
Source: Network World News