CISA Urges Fortinet Users to Harden Devices After Hardening Following

CISA has issued an urgent advisory, urging organizations to harden their Fortinet devices following reports of ‘FortiBleed,’ a large-scale credential exposure campaign.

The alert comes after threat actors were found exploiting compromised credentials linked to tens of thousands of internet-facing Fortinet systems worldwide.

According to CISA, the FortiBleed activity involves leaked credentials associated with approximately 74,000 Fortinet devices, including FortiGate firewalls and SSL VPN gateways.

The exposure has affected government and private-sector organizations across multiple regions, raising serious concerns about unauthorized access and potential lateral movement within networks.

CISA Warns on FortiBleed Attacks

Security researchers and threat intelligence firms, including SOCRadar, Hudson Rock, and Arctic Wolf, have reported that the campaign spans over 190 countries, highlighting the global scale of the issue.

Many of the affected devices were directly accessible from the internet, making them high-value targets for attackers seeking initial access.

The primary risk stems from attackers leveraging valid but compromised credentials to bypass traditional security controls.

Once inside, threat actors can escalate privileges, move laterally across networks, and potentially deploy malware or exfiltrate sensitive data.

In response, CISA has strongly urged organizations using Fortinet products to take immediate defensive actions. One key recommendation is to terminate all active SSL VPN and administrative sessions.

Organizations should also reset all passwords associated with Fortinet devices, particularly those exposed to the internet, and enforce strong password policies. Another critical mitigation step involves securing credential storage.

CISA recommends verifying that administrator credentials are protected using the Password-Based Key Derivation Function 2 (PBKDF2), a more secure hashing algorithm. Older or weaker hashing mechanisms should be removed in line with Fortinet’s latest guidance.

Organizations are also advised to conduct thorough log reviews. This includes analyzing firewall logs, VPN access records, authentication logs, and domain controller activity for signs of suspicious behavior.

Indicators such as unusual login attempts, unauthorized account creation, and unexpected configuration changes may signal compromise.

To further strengthen defenses, CISA recommends enabling phishing-resistant multi-factor authentication (MFA) across all remote access points and administrative interfaces. This adds a layer of protection, even if credentials have already been exposed.

Reducing the attack surface is another key priority. Administrators should ensure that Fortinet management interfaces are not exposed to the public internet.

Access should be restricted to trusted internal networks, and any unnecessary or unauthorized accounts must be removed immediately.

The FortiBleed campaign underscores the growing risk of credential-based attacks, particularly as threat actors increasingly rely on stolen login data rather than exploiting software vulnerabilities.

It also highlights the importance of proactive security measures, including strong authentication, proper credential management, and continuous monitoring.

While no specific CVE has been directly tied to this campaign, the scale and impact of the exposure demonstrate how misconfigurations and credential leaks can create significant security gaps.

Organizations are encouraged to review CISA’s guidance and threat intelligence reports to assess their exposure and take immediate action.

As threat actors continue to evolve their tactics, securing edge devices like firewalls and VPN gateways remains critical to maintaining overall network security.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.