This article is being updated regularly with the latest information. Visit us again for the latest news!
The headlines have been relentless over the past few days: A massive dataset containing valid admin credentials for an estimated 75’000 internet-facing Fortinet FortiGate firewalls worldwide is currently circulating under the name FortiBleed. Our IT security specialists at BOLL have analyzed the situation for you. This is the current status – without the fearmongering, but with clear, actionable advice.
What We Know So Far
First and foremost: FortiBleed is not based on a new vulnerability (there is no new CVE). Rather, it is a highly automated, industrial-scale credential harvesting campaign. Attackers bundled credentials from previous data breaches and recent infostealer logs, systematically testing them against internet-facing accessible management interfaces.
- Massive Scale: Attackers executed a large amount of login attempts against several hundred thousand devices.
- Widespread Impact: Countless internet-facing FortiGate systems are affected. This encompasses nearly 75,000 devices across 194 countries. German, Austrian and Swiss clients are also beneath the affected parties.
- Complexity Was Not Enough: Even 25-character passwords were compromised. If info stealer malware extracts a password in plaintext from an endpoint, even the highest password complexity offers zero protection.
- The Hash Trap: Older FortiOS versions used the weaker SHA-256 algorithm for password hashes, which attackers cracked offline using massive GPU power. Fortinet switched to the much stronger PBKDF2 in newer firmware releases. The catch: These secure hashes are only generated if the administrator actively logs into the system after installing the update.
- We’ve Noticed: Some support requests from concerned customers in the recent weeks. Their FortiGates were slow and they noticed a lot of failed admin login attempts coming from the internet. The clean solution was to close admin access on internet-facing interfaces. We suspect those negatively affected FortiGates stand in connection to FortiBleed.
Fortinet has also observed this and already communicated some recommendations in their blog. - The NCSC (Switzerland): Is aware about the situation and informed some affected customers.
- An Overview of the Leaked Credentials: Is available on this HudsonRock website.
- A Checker Tool is available: On the SOCRadar website.
- Fortinet is aware of the problem of internet-facing administrative access and repeats their recommendation over and over again:
- If you secure your systems according to basic best practices, you are not affected by this leak: According to the BSI Grundschutz (NET.3.1.A4 Schutz der Administrationsschnittstellen (B) or ISO/IEC 27001:2022 (Requests strict segmentation of management- and data traffic) or 2.7. Unzureichende Absicherung von Administrationswerkzeugen), the PCI-DSS (1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted) and many more (CIS, NIST), management traffic needs to be specifically protected or even seperated.
Immediate Actions for FortiGate Administrators
As penetration testers and security experts, we urgently recommend completing this checklist immediately if you manage FortiGate systems:
- Isolate Management Interfaces: Admin Web UIs and SSH access must never be exposed to the public internet. Implement strict IP allowlists or enforce VPN-only access.
- Mandatory Password Rotation: Reset all administrative and VPN passwords immediately. Since the credentials have been leaked, clinging to old passwords poses an incalculable risk.
- Enforce MFA Consistently: Multi-Factor Authentication (MFA) is strictly mandatory for all external access and VPN gateways.
- Updates & Re-Authentication: Bring FortiOS up to the latest patch level (e.g., 7.2.11, 7.4.8, 7.6.1). Crucial step: You must log in at least once with every admin account afterward to trigger the migration to the secure PBKDF2 hashes.
- Check Logs for Anomalies: Hunt for Indicators of Compromise (IoCs) such as unknown admin logins, newly created accounts (e.g.,
forticloud-syncorforticloud-tech), unusual VPN sessions outside of normal business hours, or modified firewall settings. - If you suspect your FortiGate got hacked: Follow our guide Remediation Steps if your FortiGate got Hacked or Attacked.
