Skip to content

Fortinet Exploitation and Compromise Campaign FortiBleed - 20260618002

Overview

The WASOC has observed reports of a massive exploitation campaign being uncovered which targets Fortinet and FortiGate VPN devices. This campaign has been referenced as "FortiBleed".

What has been observed?

The report allges over 30,000 Fortinet firewalls have been compromised across 194 countries, equating to roughly 50% of all internet facing Fortinet firewall devices.

It is reported that the actor is gaining access via credential based attacks or extracting device configurations, allowing them to then brute force further credentials offline.

A common technique used by attackers is to systematically use previously leaked credentials to gain initial access.

Recommendation

The WASOC recommends administrators utilising Fortinet-based services perform the following:

  • Ensure appropriate cyber hygiene practices for credentials used with fotrtinets especially VPN services.
  • Investigate the identified system to determine if it is at-risk.
  • Ensure that your system is on the latest patch.
  • Review system logs for suspicious logins or failed authentication attempts.
  • Change your passwords for all admin and VPN accounts.
  • Ensure that two-factor authentication is enabled on all accounts.
  • The management interface on these devices should not be exposed to the internet.
  • If suspicious activity is detected, notify ASD and your relevant state/territory authority (where applicable).

Further Information

The WASOC recommends regularly monitoring the following resources for further information and further developements: