
CISA Warns: Logins and Passwords for Over 74,000 Fortinet Devices Found in Open Sources – Stay Vigilant!
One of the most dangerous trends observed in the cybersecurity landscape in recent years is not so much the exploitation of software vulnerabilities, but rather the increasing number of incidents where attackers infiltrate systems as legitimate users using stolen authentication credentials. It is precisely as one such threat that the FortiBleed incident is assessed, about which the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning.
According to experts, as a result of this campaign, account credentials belonging to tens of thousands of Fortinet devices exposed to the Internet worldwide have been disclosed. This situation poses a direct threat to the security of government organizations, private sector enterprises, and critical information infrastructures.
What is FortiBleed?
FortiBleed is a cybersecurity incident involving the mass leakage of user accounts and authentication data belonging to various products of Fortinet. Specifically, data related to Internet-connected FortiGate firewalls and SSL VPN gateways has been compromised.
As a result of analysis conducted by cyber intelligence companies, credentials belonging to approximately 74,000 Fortinet devices have been discovered in various sources. By using this data, threat actors may gain access to systems under the guise of legitimate users.
Global Scope of the Threat
According to reports from cybersecurity organizations such as SOCRadar, Hudson Rock, and Arctic Wolf, the FortiBleed campaign has impacted organizations in more than 190 countries. The most concerning aspect is that a large portion of the affected devices are directly connected to the Internet, making them potential entry points for cybercriminals.
Today, many organizations use SSL VPN services to enable remote work capabilities. If usernames and passwords for these systems fall into the hands of third parties, bypassing firewalls and other security mechanisms becomes significantly easier.
Why Are Credential-Based Attacks Dangerous?
In traditional cyberattacks, criminals search for and exploit software vulnerabilities. In credential-based attacks, however, the situation is different. Here, attackers use already obtained logins and passwords.
As a result, they gain the ability to:
- access systems as legitimate users;
- escalate privileges (Privilege Escalation);
- move laterally across the network (Lateral Movement);
- steal confidential data;
- deploy malware;
- disrupt critical systems.
Therefore, credential leaks can often lead to more severe consequences than software vulnerabilities.
CISA-Recommended Protective Measures
In response to the FortiBleed threat, CISA recommends that all organizations immediately audit their Fortinet infrastructure and implement additional protective measures.
1. Terminate All Active Sessions
It is recommended to fully terminate all existing SSL VPN and administrator sessions on Fortinet devices. This will disrupt sessions that may be actively leveraged by attackers.
2. Change Passwords Immediately
Passwords for all user and administrator accounts associated with Internet-facing Fortinet devices must be updated immediately.
Passwords should:
- be complex;
- consist of at least 12–16 characters;
- include letters, numbers, and special characters;
- not be reused across other systems.
3. Use the PBKDF2 Algorithm
CISA recommends verifying that administrator credentials are protected using the Password-Based Key Derivation Function 2 (PBKDF2) algorithm.
PBKDF2 is a modern hashing mechanism that provides additional protection against brute-force and dictionary attacks aimed at cracking passwords.
4. Analyze Logs
Organizations must carefully review log records from the following sources:
- firewall logs;
- VPN access logs;
- authentication logs;
- Active Directory and domain controller logs;
- administrator activity records.
The following signs may indicate compromise:
- logins from unknown IP addresses;
- authentications outside of business hours;
- creation of new accounts;
- changes to administrator privileges;
- unexpected changes in configuration files.
5. Implement Multi-Factor Authentication
One of the most effective ways to mitigate the threat is the use of Multi-Factor Authentication (MFA).
Even if a login and password are compromised, the additional authentication step will prevent the attacker from gaining access to the system.
6. Isolate Administrative Interfaces from the Internet
It is recommended not to leave the administrator panel and management interfaces of Fortinet devices openly accessible via the public Internet.
Access to administrative interfaces should be:
- restricted to internal networks only;
- conducted via VPN;
- limited to a list of trusted IP addresses.
An Important Lesson for Organizations
The FortiBleed incident has once again demonstrated that in modern cybersecurity, the primary risk is no longer limited solely to software vulnerabilities. Many successful attacks are now carried out precisely through poorly managed authentication data, weak passwords, or previously compromised credentials.
Therefore, organizations should pay special attention to the following areas:
- regular updating of credentials;
- implementation of MFA;
- minimizing services exposed to the Internet;
- continuous monitoring of security logs;
- increasing employee cybersecurity awareness;
- utilizing Threat Intelligence data.
The FortiBleed campaign serves as a serious warning to thousands of organizations. This incident has shown that cybercriminals are increasingly relying on stolen credentials and that perimeter security measures alone are insufficient to provide adequate protection.
Organizations using Fortinet devices must immediately audit their infrastructure, update all account credentials, implement multi-factor authentication, and strengthen network monitoring to detect suspicious activity. Otherwise, even a simple credential leak can lead to major data loss, service disruptions, or the complete compromise of the entire corporate network.



