FortiBleed Campaign Exposes Vulnerabilities in 75,000 Fortinet Firewalls Worldwide

Key Points

75,000 devices exposed worldwide
Attackers used SHA-256 storage on older firmware
Immediate password rotation recommended

The story first appeared on www.networkworld.com. A campaign called Fortibleed has been found to expose tens of thousands of Fortinet firewalls worldwide. Researchers say attackers collected administrator credentials from configuration files and cracked them using weak hash algorithms. The list was discovered on a server controlled by a Russian-linked threat group. According to analysts the attackers can log in remotely and change firewall settings, creating a persistent backdoor. The attackers used a list of stolen passwords to automate credential testing across the globe. The compromised credentials were found in public Shodan scans.

What is changing

Attackers harvested credentials from many FortiGate devices and used them to gain remote access. 75,000 devices were identified as vulnerable across 194 countries. They exploited known weaknesses in older firmware and used automated scripts to crack the stolen passwords at scale. Legacy devices that have not been upgraded remain at higher risk.

Fortinet added PBKDF2 hashing in FortiOS 7.2.11 but existing passwords stay in PBKDF2 enforcement only after a login. The upgrade only forces new password hashes to use PBKDF2 after an admin logs in, leaving many systems still using the older SHA-256 style. Regular audits of admin accounts can help detect misuse early.

Why it matters

IT administrators need to rotate admin passwords and enforce MFA on management interfaces. They should also block external access to the firewall UI until the credentials are changed. Organizations should also review logs for unexpected configuration changes.

If passwords remain unchanged, attackers can achieve network compromise and modify security policies. This can lead to lateral movement across the corporate network and data exfiltration.