The Bottom Line: Fortinet administrators must immediately reset passwords, isolate management interfaces from the internet, and enable multi-factor authentication organization-wide to reduce the risk of a coordinated credential abuse campaign.
A security researcher discovered approximately 75,000 compromised credentials for Fortinet firewalls distributed across nearly 200 countries, affecting more than 20,000 organizations. Unlike typical exploit attacks, threat actors are exploiting known default passwords and missing password changes.
Last weekend, a structured collection of stolen credentials for Fortinet systems was published, whose authenticity was confirmed by security experts and the company Hudson Rock. The compromised data affects approximately 75,000 Fortinet devices distributed across all 200 countries and belongs to more than 20,000 organizations, companies, and domains. The incident is referred to as “FortiBleed”.
The attack methodology differs fundamentally from classic exploit attacks: the threat actors are not exploiting unknown vulnerabilities, but rather leveraging the fact that many organizations fail to change default passwords or use already-known credentials for publicly accessible management interfaces. Attackers automatically scan the internet for exposed Fortinet systems, compromise them using lists of known credentials, and use the devices as “listening posts” to monitor network traffic and intercept additional credentials. According to Hudson Rock, the threat actors go beyond simple credential stuffing and crack intercepted password hashes using GPU clusters to add them to existing lists.
Although no known follow-on attacks are currently documented, the structured nature of the leak and the financial motivation of the threat actors suggest that rapid exploitation of the stolen data is likely as long as affected organizations have not implemented countermeasures.
Responsible parties should act immediately: (1) Update all Fortinet systems to the latest patch level; (2) Ensure management interfaces are not directly accessible from the internet; (3) after updating to the current FortiOS version, enforce a mandatory password change for all admin accounts to enforce the use of the more secure PBKDF2 method; (4) enable multi-factor authentication organization-wide for all external access and admin interfaces. Hudson Rock provides a free tool at hudsonrock.com/fortinet that allows organizations to check whether their domain appears in the compromised dataset.
Source: www.cert.at · Published 18 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.7.1.