|
|
| Home - Current Activities |  |
 |
| |
CURRENT ACTIVITIES
Potential Exposure of FortiGate Administrative and VPN Credentials (FortiBleed)
Original Issue Date:June 18, 2026
It has been reported that a large-scale credential exposure campaign, dubbed Forti Bleed, resulted in the compromise and exposure of credentials associated with Fortinet firewalls and VPN gateways. It involves a massive, active campaign where threat actors have compiled a verified database of working administrator and VPN credentials for tens of thousands of internet-facing FortiGate firewalls. The leaked dataset contains usernames, email addresses, plaintext passwords, and configuration-derived information tied to active Fortinet devices.
The exposed data may have been collected through a sustained credential-harvesting operation involving brute-force attacks, interception of authentication data, exploitation of previously known vulnerabilities, and extraction of configuration information from compromised devices. It is reported that the attackers executed an estimated 1.16 billion credential attempts against over 320,000 FortiGate targets, alongside an additional 2.1 billion brute-force attempts directed at over 160,000 MSSQL servers.
Organizations using Fortinet products should assume potential credential exposure and perform immediate validation and remediation activities.
Exposed Information
The exposed information includes:
- Administrative usernames
- Email addresses
- VPN credentials
- Plaintext passwords
- Device configuration information
- Network-related metadata
Impact:
1. Unauthorized Administrative Access
Attackers possessing valid administrative credentials can modify firewall policies, create backdoor accounts, disable security controls, or establish persistent access.
2. VPN-based Initial Access
Valid VPN credentials may allow direct entry into corporate networks, bypassing perimeter security controls.
3. Lateral Movement
Compromised firewall access can facilitate:
- Active Directory compromise
- Credential theft
- Privilege escalation
- Internal reconnaissance
4. Data Breach and Ransomware Risk
Firewall compromise often serves as a precursor to:
- Data exfiltration
- Business email compromise
- Ransomware deployment
- Supply-chain attacks
- Recommendations for Security Teams
Best Practices
Organizations using Fortinet FortiGate firewalls should implement the following security best practices to reduce the risk of credential compromise and unauthorized access:
1. Enforce Multi-Factor Authentication (MFA)
- Enable MFA for all administrative accounts and SSL VPN users.
- Prefer hardware tokens, authenticator applications, or certificate-based authentication over SMS-based MFA.
2. Rotate Credentials Regularly
- Change administrative, VPN, and service account passwords periodically.
- Immediately rotate credentials if exposure is suspected.
- Use strong, unique passwords and avoid password reuse across systems.
3. Restrict Management Access
- Disable Internet-facing administrative interfaces whenever possible.
- Limit management access to dedicated management networks, VPNs, or approved IP addresses.
- Implement IP allowlisting for administrative access.
4. Keep FortiOS Updated
- Apply security patches and firmware updates promptly.
- Subscribe to vendor security advisories and establish a regular patch management process.
- Remove unsupported or end-of-life devices from production environments.
5. Enable Comprehensive Logging and Monitoring
- Log all administrative and VPN authentication activities.
- Forward logs to a centralized SIEM for correlation and alerting.
- Monitor for failed login attempts, unusual login locations, and configuration changes.
6. Conduct Regular Configuration Audits
- Review firewall configurations against approved security baselines.
- Remove unused accounts, policies, VPN portals, and services.
- Periodically verify that security settings have not been altered.
7. Harden VPN Deployments
- Restrict VPN access to authorized users and groups.
- Enforce MFA for all remote access connections.
- Review and remove inactive VPN accounts regularly.
8. Perform Continuous Threat Hunting
- Search for unauthorized accounts, suspicious login activity, and unexpected configuration modifications.
- Review historical logs for indicators of compromise.
- Investigate any unexplained changes to firewall policies or administrator settings.
9. Conduct Regular Security Assessments
- Perform vulnerability assessments and penetration testing on perimeter devices.
- Validate exposure of management services from the Internet.
- Assess compliance with organizational security standards.
10. Maintain an Incident Response Plan
- Establish procedures for credential compromise and firewall breach scenarios.
- Define escalation paths and communication plans.
- Conduct periodic tabletop exercises to validate response readiness.
CERT-In recommends all organisations using Fortinet firewalls and VPN-related devices to review their risk exposure immediately. Organizations need to assess whether their IP addresses, domains, or CIDR ranges have been exposed through FortiBleed related VPN firewall breaches or misconfigured storage repositories. Such exposure can be verified using publicly available assessment tools such as:
https://www.hudsonrock.com/fortinet
https://socradar.io/free-tools/fortibleed
References
|
| |
| Disclaimer |
|
The information provided herein is on "as is" basis, without warranty of any kind. |
|
|
Contact Information
|
|
Email:info@cert-in.org.in
Phone: +91-11-22902657
|
|
|
Postal Address
|
|
| Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|
|
| |
| |
| |
|
| |
|