FortiBleed campaign compromises tens of thousands of Fortinet firewalls

Tens of thousands of Fortinet firewalls and VPN gateways were drawn into a campaign that turned perimeter devices into entry points for corporate networks. Researchers said the operation, called FortiBleed, stretched across 194 countries and included organizations in the United States, India, Taiwan and Mexico, underscoring how a compromise at the network edge can ripple through major employers, contractors and public-facing systems.

The attacks did not appear to hinge on a newly discovered Fortinet flaw. Instead, the campaign relied on a blunt but effective method: scanning the internet for exposed devices and logging in with previously known or reused passwords. Once inside, the intruders used compromised firewalls as “listening posts,” monitoring traffic and collecting more credentials that could be used to move deeper into internal systems. That made the operation self-reinforcing, because newly harvested passwords could be fed back into the scanners to compromise even more devices.

The scale estimates varied, but both pointed to a broad exposure. Hudson Rock cited evidence suggesting more than 73,000 unique Fortinet URLs had been hacked. SOCRadar said its research identified 30,791 compromised Fortinet firewalls and VPN gateways, along with 21,108 unique IPs and 8,316 unique domains in the dataset. SOCRadar said the attacker infrastructure included tools, automation scripts and a database of verified working credentials, suggesting an organized campaign rather than isolated opportunistic break-ins.

The list of affected organizations showed how widely one common edge device can spread risk. Named companies included Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens and PwC. In practice, a firewall or VPN appliance is not just another box in a rack. It is the gatekeeper for remote access, internal traffic and, in many cases, the first line of defense for critical operations. When that gatekeeper is compromised, the attacker can quietly watch traffic and expand access without setting off the alarms tied to more obvious malware outbreaks.

For security teams, the warning signs are familiar but easy to miss: internet-facing Fortinet devices, old passwords still in circulation, unexpected administrative logins and traffic patterns that suggest a firewall is being used to observe rather than block. Multi-factor protection, access reviews and credential rotation remain basic defenses, especially on perimeter systems that are exposed to the public internet.

Fortinet said it was aware of a third-party credential-harvesting campaign and believed the material involved looked like reshared data from earlier incidents combined with brute-forcing rather than a new incident or advisory. The company’s PSIRT process exists to receive, investigate and publicly report security issues, but FortiBleed points to a wider shift in enterprise attacks: criminals are increasingly exploiting exposed edge devices and stolen credentials, not just new bugs, and that makes routine hardening as important as patching.