CISA has issued an urgent alert after a credential leak dubbed FortiBleed exposed tens of thousands of Fortinet devices worldwide according to the agency. The exposure puts government and private networks at risk of immediate compromise.
The leak originates from misconfigured servers that dumped valid usernames and passwords for FortiGate firewalls and VPN gateways, with estimates ranging from 74 000 compromised devices reported by Security Affairs to as many as 86 000 cited by SecurityWeek. No CVE has been assigned to the issue, but the severity lies in the credential exposure itself.
Attackers are using the harvested credentials in a global brute‑force campaign, attempting to log into exposed management interfaces and pivot into internal networks. Security researchers have observed the credentials being tested against VPN portals and administrative consoles in real time.
Observations show a Russian‑speaking threat actor compiling the data and launching over a billion login attempts against FortiGate appliances, hitting organisations in more than 190 countries including critical infrastructure providers. The campaign appears to be automated, with attempts spread across multiple IP addresses to evade simple rate‑limiting.
The incident highlights how accidental exposure of management services can lead to large scale account compromise, reinforcing the need for strict network segmentation and regular configuration audits. Organizations that leave administrative interfaces reachable from the internet without additional protections are particularly vulnerable.
Defenders should immediately rotate all passwords for affected devices, enforce multi‑factor authentication on administrative access, restrict management interfaces to trusted IP ranges, and review authentication logs for anomalous activity. Promptly applying the latest firmware patches and disabling unused services further reduces the attack surface.