Internet-facing firewalls and VPN gateways remain among the most valuable targets for attackers because they sit at the boundary between trusted enterprise environments and the public internet. When these devices are accessed with valid credentials, the incident can quickly move from perimeter exposure to internal compromise, lateral movement, credential theft, and operational disruption.
A large-scale campaign targeting Fortinet FortiGate appliances highlights this risk. Tens of thousands of devices have reportedly been affected, with attackers using credential stuffing, brute-force techniques, leaked passwords, and potentially legacy credential storage weaknesses to gain access to firewalls and VPN gateways across many countries and sectors.
For CISOs, CIOs, risk leaders, and infrastructure owners, the issue is not only whether a specific appliance has been compromised. The broader concern is whether perimeter security platforms are being governed with the same rigor as identity systems, privileged access, cloud control planes, and other high-impact assets.
Why This Campaign Matters
The campaign, commonly referred to as FortiBleed, has reportedly impacted 86,644 FortiGate devices. The activity is believed to involve Russian-speaking threat actors and is focused on internet-accessible Fortinet remote login endpoints.
The most concerning aspect is that the attackers are not relying solely on software exploitation. They are using valid credentials at scale. This changes the defensive challenge. A login using a real username and password may not trigger the same alerts as an exploit attempt, especially if organizations lack strong administrative monitoring, phishing-resistant multi-factor authentication, or strict management-plane access controls.
Credential data associated with the campaign shows a serious enterprise hygiene problem:
- Generic administrator accounts account for approximately 35% of compromised credentials.
- Built-in Fortinet system accounts account for about 28.3%.
- Organization-specific accounts represent around 36.7%.
This indicates that attackers are benefiting from both poor default-account governance and compromised credentials created by organizations themselves. In practical terms, some environments may still be using predictable account structures, weak or reused passwords, credentials exposed in previous incidents, or accounts that were never rotated after a known compromise.
Executive takeaway: This is not just a firewall issue. It is an identity, privileged access, configuration governance, and perimeter exposure problem.
How the Attack Works
The campaign appears to follow a highly automated, self-sustaining model.
Attackers first scan the internet for Fortinet remote login endpoints. Once those devices are identified, they use a custom tool to test known username and password combinations against them. These combinations may come from previous breaches, leaked credential sets, reused passwords, or weak administrative practices.
The attack chain can be summarized in two stages:
1. Attackers attempt a curated list of leaked or known Fortinet-related credentials against internet-facing devices.
2. After gaining access, they passively monitor traffic passing through the device to collect additional credentials, which can then be used to compromise more appliances.
This model is especially damaging because it can compound over time. Every successful login may provide access to additional credential material, configuration data, VPN access paths, directory integrations, or network intelligence.
The attackers reportedly verify credentials before adding them to a database of confirmed working logins. This creates a high-value inventory of valid access paths into enterprise environments.
Why Firewalls and VPN Gateways Are High-Impact Assets
Firewalls, VPN gateways, and secure access appliances are often treated as infrastructure rather than identity assets. That is a governance mistake. These systems frequently hold or process highly sensitive information, including:
- Administrative credentials.
- VPN user accounts.
- LDAP, Active Directory, or RADIUS integration credentials.
- Network topology and routing information.
- Security policies and segmentation rules.
- Logs showing authentication patterns and internal destinations.
- Remote access paths into production, cloud, corporate, and sometimes operational environments.
In banking and financial services, compromise of these systems may expose payment environments, customer platforms, fraud systems, and regulated data flows. In healthcare, it can affect remote access to clinical systems and patient data. In manufacturing, energy, transportation, and utilities, VPN and firewall compromise may create a path toward operational technology environments or remote maintenance channels. In public sector and critical infrastructure, the risk includes service disruption, sovereignty concerns, and regulatory escalation.
Operational impact: A compromised perimeter device can become both an entry point and an intelligence collection platform. Attackers may not need to deploy malware immediately if they can observe traffic, capture credentials, and quietly prepare lateral movement.
Legacy Credential Hashing Increases the Risk
One important technical factor involves how administrator credentials have historically been stored in FortiGate configuration files.
Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1. PBKDF2 is a stronger password-based key derivation function designed to make password cracking more resistant than older hashing approaches.
However, there is an important caveat: when organizations upgrade from earlier versions, existing administrator passwords may remain stored using legacy SHA-256-based hashing until the relevant administrator successfully logs in after the upgrade. As a result, some environments may believe they have upgraded to a safer version while still retaining older credential hashes for accounts that have not been refreshed through login or rotation.
For security leaders, this distinction matters. Version upgrades are necessary, but they may not be sufficient if legacy credential material remains in configurations.
Key point: Patch management must be paired with credential rotation and verification of cryptographic storage behavior. Otherwise, residual risk may remain after the technical upgrade is complete.
Immediate Actions for Security and Infrastructure Teams
Organizations using Fortinet FortiGate appliances should treat this as a priority exposure-management and incident-response task, especially where administrative or VPN interfaces are reachable from the internet.
Recommended actions include:
- Terminate all active SSL VPN and administrative sessions.
- Reset all Fortinet VPN and administrative passwords, particularly on internet-facing systems.
- Enforce strong password policies and eliminate password reuse across infrastructure platforms.
- Enable phishing-resistant multi-factor authentication on all external gateways and administrative interfaces.
- Upgrade to current supported FortiOS versions, including the latest releases in the 7.4, 7.6, or 8.0 branches where applicable.
- Ensure administrator credentials are stored using PBKDF2 and remove weaker legacy hashes.
- Review firewall, VPN, authentication, and domain controller logs for suspicious behavior.
- Inspect configurations for unauthorized changes, unexpected users, new accounts, policy modifications, or altered remote access settings.
- Audit for unexpected administrator access from unknown IP addresses.
- Monitor for lateral movement, unusual authentication patterns, and use of directory integration accounts outside expected contexts.
- Restrict external management access using trusted hosts, local-in policies, or, preferably, by removing internet-accessible administration entirely.
If the Fortinet environment integrates with Active Directory, LDAP, or another identity provider, any service account used for that integration should be treated as potentially compromised until validated. Security teams should monitor whether that account has been used elsewhere, whether new accounts were created, and whether authentication patterns suggest lateral movement.
Governance Lessons for CISOs and Risk Leaders
This incident reinforces several recurring lessons for cybersecurity programs.
First, perimeter appliances must be included in privileged access management and identity governance. Administrative accounts on firewalls and VPN gateways should be inventoried, monitored, protected with MFA, and reviewed regularly.
Second, internet-facing management interfaces should be the exception, not the norm. If remote administration is required, it should be limited to trusted sources, protected through strong authentication, logged centrally, and reviewed continuously.
Third, credential rotation must be operationalized after incidents, upgrades, staff changes, vendor access changes, and major configuration events. Organizations often patch devices but fail to rotate passwords, leaving valid credentials available to attackers.
Fourth, exposure management should validate not only vulnerabilities but also reachable services, weak authentication paths, default accounts, stale accounts, and administrative interfaces exposed to the internet.
Finally, logs from firewalls, VPN gateways, identity providers, and domain controllers must be correlated. A valid login to a perimeter device may be the first visible sign of a broader compromise.
What to Communicate to Executives
Security leaders should frame this issue in business terms:
- A compromised firewall or VPN gateway can provide direct access into critical environments.
- Valid credentials make detection harder than traditional exploit-based attacks.
- The risk spans availability, data protection, regulatory exposure, and operational continuity.
- Immediate remediation may require session termination, password resets, MFA enforcement, access restrictions, and configuration review.
- The longer exposed devices remain unremediated, the greater the chance of credential harvesting and lateral movement.
This is also an opportunity to strengthen governance around all edge and remote access technologies, not only Fortinet devices.
Building Resilience Beyond This Campaign
The practical response should combine urgent containment with long-term control improvement. Organizations should identify all internet-facing security appliances, confirm software versions, validate credential storage, rotate privileged credentials, enforce MFA, and remove unnecessary external management paths.
The larger lesson is clear: perimeter infrastructure is now part of the identity attack surface. Treating firewalls and VPN gateways as static network devices is no longer sufficient. They must be managed as privileged, business-critical control points whose compromise can affect resilience, compliance, customer trust, and operational continuity across the enterprise.