When your firewall becomes the threat
23rd June 2026What FortiBleed actually is
Researchers have uncovered a large‑scale, long‑running campaign against Fortinet FortiGate firewalls that they have dubbed “FortiBleed.”
In simple terms, attackers have been quietly collecting configuration data from internet‑facing Fortinet devices, cracking the stored passwords, and then logging in remotely as administrators on tens of thousands of firewalls worldwide.
Multiple independent analyses (Hudson Rock, Arctic Wolf and others) estimate that around 73-75,000 unique Fortinet firewall or VPN URLs have been compromised across 194 countries, with working credentials confirmed for over 30,000 devices and a total target set of roughly 320,000 Fortinet firewalls. Based on data from Shodan, this is believed to represent around half of all Fortinet firewalls directly reachable from the internet.
Investigations point to a Russian‑speaking, multi‑operator cybercrime group that systematically scans the internet for Fortinet devices and then tests them against massive stores of stolen usernames and passwords collected by information‑stealing malware (aka Infostealer). This rising risk of cybercriminal groups using infostealer-derived data to target internet-connected systems is a core focus to Trium’s underwriting, and you can read further on this in our recent infostealer-malware article.
Infostealer Malware: the theft that keeps taking 14th October 2025
When a successful credentials match happens, the VPN logins are intercepted, capturing the password “hashes” (scrambled versions of the passwords), and then running them through a powerful cracking cluster until they recover the original passwords.
Once they have valid credentials, they are not stopping at the firewall. They will then move into internal systems like Active Directory, databases and application servers, exfiltrating data and gaining long‑term control of the victim networks.
Researchers have reported complete compromise in organisations listed in the Fortune 500 to companies across Japan, South‑East Asia and the Middle East, including at least one Turkish defence contractor supporting NATO, with classified documents stolen.
This is not a niche set of small businesses; the victim list includes global manufacturers, telecoms, technology vendors and critical infrastructure providers. Vendors of hardware, software, and security frequently rely on Fortinet, raising potential concerns about their overall security posture. Because their products and services are often deeply embedded in the supply chain, a Fortinet breach could cascade downstream, impacting numerous interconnected organisations. As a result, a single campaign targeting one product family can extend across a wide range of downstream entities, including many within FTSE 350 and Fortune 500 portfolios held by major cyber insurers.
Fortinet is not alone in facing repeated, serious issues around internet facing VPN and firewall components. Other examples from over the last one to two years include:
- SonicWall: Critical vulnerabilities in SonicWall SSL VPN and management interfaces (for example CVE‑2024‑40766) have been actively exploited, leading to ransomware intrusions SonicWall has also disclosed a breach of firewall cloud‑backup data, where configuration files used for restoring devices were accessed by attackers, again giving them insights into customer environments.
- Palo Alto Networks: CISA and other agencies have highlighted critical authentication‑bypass flaws in PAN‑OS that impact firewall management and remote access, adding them to the Known Exploited Vulnerabilities catalogue and urging rapid patching.
Taken together, these incidents show that “put the VPN and admin panel on the firewall and expose it to the internet” is a fragile pattern that attackers can break over and over again, across multiple brands.
Your VPN is your front door
An SSL VPN on the firewall is essentially a web based “front door” into your internal network, often used by employees and suppliers to work remotely. It is supposed to be a secure tunnel, but it presents the following risks:
- Single chokepoint: The firewall becomes both your outer wall and your main gate, so if attackers compromise the VPN or admin login, they jump straight past network defences into your core systems.
- Always on exposure: SSL VPN and management interfaces are often accessible 24/7 from anywhere, which means an attacker can keep trying passwords or exploit vulnerabilities around the clock until they succeed.
- Legacy credentials and password reuse: As the FortiBleed campaign shows, attackers no longer need to guess passwords. They reuse old credentials from past breaches and pair them with powerful password cracking setups, neutralising “complex password” policies.
- Patch gaps: Even when vendors release patches quickly, many customers lag behind on updates, leaving known flaws open for months. This is something attackers are actively exploiting.
How to address this in your organisation
Check to see if your organisation made the list of affected domains – and immediately rotate all passwords associated with Fortinet VPN and administrative interfaces.
The recurring lesson is that putting remote access directly on the network perimeter is no longer fit for purpose in 2026. Modern approaches shift from “protect the network edge” to “protect the user and their identity, wherever they are,” which is where Secure Access Service Edge (SASE) and identity centric models has been used.
Remote users connect through cloud based secure access platforms rather than directly to the firewall, reducing the attack surface on on-premise devices. Access is tied to the individual user and device, with multi‑factor authentication, device posture checks and continuous monitoring, making stolen passwords much less useful on their own.
Instead of giving broad network access once someone is “inside,” SASE and related architectures grant only the minimum access needed for specific applications and continuously re-evaluate trust.
“Identity is the new perimeter” means that the primary boundary is no longer the corporate firewall. It is the combination of who you are, what device you use, and how that access is governed and monitored over time.
Identity Threat Detection and Response (ITDR) focuses on spotting and stopping misuse of identities - user accounts, admin accounts, service accounts - before attackers can fully exploit them. In the context of FortiBleed style campaigns, ITDR can
- detect unusual VPN and admin logins (for example from new locations, at strange times, or with suspicious patterns) and trigger additional checks or blocks,
- catch lateral movement when attackers reuse cracked passwords to access directories, databases or cloud services, and
- help contain spread by automatically revoking or rotating credentials when compromise is suspected.
Given the speed at which new vulnerabilities and exploit paths are found and the likely acceleration as AI assisted tools and platforms emerge, requiring ITDR class capabilities as a minimum standard starts to look like a prudent baseline rather than a “nice to have.”
Massive password-stealing attack hits 75k Fortinet firewalls