Fortinet warns of FortiBleed credential harvesting attacks on FortiGate devices

Key Takeaways

• Fortinet has identified an active credential-harvesting campaign, dubbed “FortiBleed,” targeting FortiGate appliances globally.
• The attacks exploit previously disclosed vulnerabilities in conjunction with weak passwords and a lack of multi-factor authentication (MFA), rather than a new zero-day exploit.
• Up to 86,000 internet-facing FortiGate firewalls and VPN devices across 194 countries are potentially impacted.
• Fortinet is directly notifying affected customers and urges immediate remediation, including password resets, MFA enforcement, and system upgrades.

FortiBleed Campaign Targets FortiGate Devices with Credential Harvesting

Fortinet has issued a serious alert regarding an ongoing credential-harvesting campaign, internally dubbed “FortiBleed,” which is actively targeting its FortiGate firewall and VPN appliances. The security vendor emphasized that this campaign leverages previously known vulnerabilities, combined with poor password practices and the absence of multi-factor authentication (MFA), rather than exploiting a new, undisclosed flaw.

According to analysis shared by Carl Windsor, a significant number of devices are at risk. Estimates suggest that as many as 86,000 internet-facing FortiGate devices across 194 countries could be affected, marking this as one of the more extensive security incidents involving Fortinet products in recent memory.

Attack Vector and Impact

The “FortiBleed” operation is not a zero-day exploit. Fortinet’s investigation points to threat actors utilizing credentials compromised in two earlier incidents, tracked as FG-IR-26-060 and FG-IR-25-647. These recycled credentials are then being used in conjunction with AI-accelerated brute-force attacks against FortiGate devices exposed to the internet that lack robust credential controls.

Fortinet clarified that this credential harvesting campaign is distinct from any recent vulnerability disclosures. The company reiterated that customers who had previously completed the recommended remediation steps for earlier advisories should not be impacted by the current activity. Fortinet has proactively identified potentially compromised systems and is in the process of contacting affected customers directly, while also collaborating with relevant government agencies, including CISA, which has issued its own advisory urging organizations to secure their Fortinet infrastructure.

The primary vulnerability exploited in this campaign centers on weak or reused administrative and VPN credentials on internet-facing FortiGate appliances, exacerbated by the absence of MFA. Once unauthorized access is gained, threat actors have been observed making unauthorized configuration changes, creating rogue accounts (with usernames like “forticloud,” “fortiuser,” “fortinet-support,” and “fortinet-tech-support”), and attempting lateral movement into internal networks, particularly those integrated with Active Directory or LDAP environments.

What You Should Do

Fortinet is urging all FortiGate customers to implement the following critical remediation steps immediately:

• Terminate All Sessions: End all active administrative and VPN sessions and promptly reset all Fortinet VPN and administrative credentials, especially for internet-facing systems.
• Enforce MFA: Mandate multi-factor authentication for all administrator and VPN user accounts across your FortiGate environment.
• Upgrade FortiOS: Update FortiOS to versions 7.4, 7.6, or 8.0, which support PBKDF2 hashing for administrator credentials. Ensure legacy password settings are removed using set login-lockout-upon-weaker-encryption.
• Audit Configurations: Compare current configurations against a known-good baseline, specifically looking for unauthorized account additions or policy modifications.
• Review Logs: Scrutinize logs for any unexpected administrative access from unknown IP addresses and monitor domain controller logs for signs of lateral movement or suspicious account activity.
• Restrict Management Access: Limit management access to trusted hosts, apply local-in policies, or remove internet-facing administration capabilities entirely.

Organizations discovering unauthorized configuration changes, unrecognized VPN users, or unexpected password resets should assume their devices are fully compromised. Fortinet recommends following its published incident recovery guidance. If AD/LDAP integration is in use, those accounts should also be considered compromised, with continuous monitoring of the directory for anomalous authentication or new account creation. For those suspecting an internal network compromise, Fortinet’s FortiGuard Incident Response team is available for scoping engagements.

This campaign underscores the critical importance of promptly completing vendor-issued remediation steps and consistently enforcing strong password policies and MFA across all administrative interfaces, rather than relying solely on the absence of novel exploits.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.