The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory urging organizations to secure their Fortinet devices following the discovery of a large-scale credential exposure campaign, dubbed ‘FortiBleed.’ This campaign has compromised credentials associated with approximately 74,000 internet-facing Fortinet systems worldwide, including FortiGate firewalls and SSL VPN gateways.
Security researchers from firms such as SOCRadar, Hudson Rock, and Arctic Wolf have reported that the FortiBleed campaign spans over 190 countries, highlighting the global scale of the issue. Many of the affected devices were directly accessible from the internet, making them prime targets for attackers seeking initial access to networks.
The primary risk stems from attackers leveraging valid but compromised credentials to bypass traditional security controls. Once inside, threat actors can escalate privileges, move laterally across networks, and potentially deploy malware or exfiltrate sensitive data.
In response, CISA has strongly urged organizations using Fortinet products to take immediate defensive actions. Key recommendations include:
- Terminating all active SSL VPN and administrative sessions.
- Resetting all passwords associated with Fortinet devices, particularly those exposed to the internet, and enforcing strong password policies.
- Securing credential storage by verifying that administrator credentials are protected using the Password-Based Key Derivation Function 2 (PBKDF2), a more secure hashing algorithm. Older or weaker hashing mechanisms should be removed in line with Fortinet’s latest guidance.
- Conducting thorough log reviews, including analyzing firewall logs, VPN access records, authentication logs, and domain controller activity for signs of suspicious behavior. Indicators such as unusual login attempts, unauthorized account creation, and unexpected configuration changes may signal compromise.
- Enabling phishing-resistant multi-factor authentication (MFA) across all remote access points and administrative interfaces to add a layer of protection, even if credentials have already been exposed.
- Reducing the attack surface by ensuring that Fortinet management interfaces are not exposed to the public internet. Access should be restricted to trusted internal networks, and any unnecessary or unauthorized accounts must be removed immediately.
The FortiBleed campaign underscores the growing risk of credential-based attacks, particularly as threat actors increasingly rely on stolen login data rather than exploiting software vulnerabilities. It also highlights the importance of proactive security measures, including strong authentication, proper credential management, and continuous monitoring.
While no specific Common Vulnerabilities and Exposures (CVE) identifier has been directly tied to this campaign, the widespread nature of the credential exposure necessitates immediate and comprehensive action from all organizations utilizing Fortinet devices.
Organizations are advised to stay vigilant and implement the recommended security measures promptly to mitigate potential risks associated with the FortiBleed campaign.
