CISA flags FortiBleed hackers weaponizing leaked Fortinet credentials
The credentials for nearly 75,000 Fortinet firewalls and VPN gateways are now in the wild—and attackers are using them to breach systems worldwide. Cybersecurity agencies and researchers have confirmed that threat actors are actively exploiting the leaked data, which includes usernames, emails, and plaintext passwords for devices exposed online.
A leak that wasn’t supposed to happen
A misconfigured server left online exposed a treasure trove of Fortinet device configurations, revealing sensitive credentials for tens of thousands of organizations. Security researcher Bob Diachenko discovered the open server and shared findings on LinkedIn, noting that the dataset contained valid VPN credentials, including plaintext passwords. Independent analyst Kevin Beaumont later verified the data, confirming its authenticity and estimating it covered around 75,000 devices—nearly half of all Fortinet firewalls currently exposed to the internet.
Who’s at risk—and why this matters
The leaked credentials span 194 countries and include entries from major corporations like Foxconn, Samsung, Comcast, Siemens, and Lenovo, as well as government agencies and critical infrastructure operators. According to Hudson Rock’s analysis, the dataset includes 73,932 unique firewall URLs tied to 21,632 domains. Beaumont highlighted that in many cases, the FortiGate Management Interface itself remains directly accessible from the internet—a dangerous configuration that invites brute-force attacks and unauthorized access.
CISA has issued an emergency alert, warning organizations with exposed Fortinet devices to immediately review and secure their systems. The agency emphasizes that compromised credentials are being actively used to target both public and private sector networks, underscoring the urgent need for stronger access controls and prompt patching of any vulnerabilities linked to this incident.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.