CISA Urges Hardening Fortinet Devices in Credential Exposure Response

CYBER — The Cybersecurity and Infrastructure Security Agency issued an alert on June 18 directing organizations to immediately terminate active sessions, reset administrative and Virtual Private Network passwords, and harden FortiGate appliances and Secure Sockets Layer gateways targeted in the FortiBleed credential exposure campaign.

The alert addresses cyber activity by threat actors involving leaked credentials for approximately 74,000 internet-accessible Fortinet devices, including firewalls and Virtual Private Network gateways used by government and private sector organizations worldwide, per the agency alert.

Independent researchers estimate affected devices ranging from 73,932 to 75,000 across 194 countries.

Fortinet and FortiGate Overview

Fortinet is a major cybersecurity company headquartered in Sunnyvale, California. It develops and sells a broad portfolio of network security products, with its flagship FortiGate line of next-generation firewalls and Secure Sockets Layer Virtual Private Network gateways forming the core of many enterprise, government, and critical-infrastructure networks worldwide.

FortiGate appliances combine firewall, intrusion prevention, application control, and VPN capabilities in a single platform. Organizations deploy them to protect internet-facing connections, segment internal networks, and enforce remote-access policies.

Because FortiGate devices often sit at the perimeter and handle both inbound traffic and encrypted tunnels, they are high-value targets for credential-based attacks.

The widespread adoption of Fortinet products means that credential exposure on these devices carries outsized consequences.

A successful compromise can give attackers initial access into environments that control sensitive data flows, remote workforce connectivity, and operational technology segments.

In the FortiBleed campaign, threat actors leveraged leaked administrative credentials to target precisely this class of widely deployed appliances, underscoring why rapid credential rotation and interface hardening remain priorities for any organization running FortiGate or related Fortinet VPN solutions.

FortiBleed Campaign Scope and Methods

Threat actors extracted configuration files from internet-facing FortiGate devices and cracked stored administrator credential hashes through offline graphics processing unit cluster operations. This yielded verified working credentials for a substantial number of devices.

The campaign included more than 1.16 billion authentication attempts against over 320,000 FortiGate targets, according to researcher reports.

Attacker infrastructure contained organized databases of validated credentials segmented by country, sector, and organization revenue.

Many devices retained legacy Secure Hash Algorithm-256 with salt hashes vulnerable to cracking.

Fortinet introduced Password-Based Key Derivation Function 2 hashing for administrator credentials in FortiOS versions 7.2.11, 7.4.8, and 7.6.1, yet full removal of weaker hashes requires administrators to log in after upgrades and apply specific password policy settings.

No new Fortinet vulnerabilities were exploited. The operation relied on prior collection of configuration data followed by hash cracking.

Fortinet stated that “investigations of this type of campaign observed no exploitation of FortiGate vulnerabilities. Instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication. These attacks leveraged password spraying to gain initial access, a fairly common strategy.”

National cyber security agencies in other jurisdictions issued parallel alerts on the same date. The Hong Kong Computer Emergency Response Team alerted organizations that over 70,000 Fortinet devices were suspected to be affected by data and credential exposure, according to the Hong Kong Computer Emergency Response Team.

The Canadian Center for Cyber Security issued a cyber alert on the FortiBleed leak of thousands of compromised credentials.

CISA Recommendations

CISA urges impacted FortiGate and Secure Sockets Layer Virtual Private Network customers to take these steps without delay.

The vendor has stated that campaigns of this type would have been highly unlikely to succeed with password complexity policies enabled and impossible with multifactor authentication in place.

• 1. Terminate all active Secure Sockets Layer Virtual Private Network and administrative sessions. Reset all Fortinet Virtual Private Network and administrative passwords, especially on internet-facing systems, and enforce strong password policies.

• 2. Confirm use of the Password-Based Key Derivation Function 2 algorithm to store administrator credentials and remove weaker legacy hashes according to Fortinet guidance.

• 3. Review firewall, Virtual Private Network, authentication, and domain controller logs for signs of lateral movement, unusual access, suspicious accounts, or unauthorized configuration changes.

• 4. Require phishing-resistant multifactor authentication on all remote access and administrative accounts and enforce it on external gateways and administrative interfaces.

• 5. Ensure firewall administration remains inaccessible from the public internet, restrict Fortinet management interfaces to trusted internal networks, and remove or disable unauthorized or unnecessary accounts.

These steps align with Fortinet guidance on credential-based attacks. The guidance calls for organizations to prioritize these measures on all internet-facing systems.

What to Watch

Organizations should monitor the following indicators and developments in coming days.

• Organizations checking exposure status through Hudson Rock FortiBleed domain lookup resources or SOCRadar free FortiBleed Exposure Checker.

• Unusual VPN or administrative authentication attempts and configuration modifications on Fortinet devices after June 18.

• Indicators of follow-up activity such as ransomware or data exfiltration traced to compromised FortiGate appliances.

• Further Fortinet guidance or updates on credential storage or management interface restrictions.

• Network traffic or logs showing connections to the IP addresses 212.11.64.250 or 185.196.11.225 or creation of user accounts named fortiuser, fortinet-support, or fortinet-tech-support.

• Guidance and alerts issued by national cyber security agencies in jurisdictions with affected organizations, including follow-up from the Hong Kong Computer Emergency Response Team and the Canadian Centre for Cyber Security.

Official Statements

The following official statements from key agencies and the vendor provide the official guidance on the incident and recommended actions.

• CISA, June 18: “CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials. This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways.”

• CISA Cyber, June 18: “Reports of activity referred to as FortiBleed indicate malicious cyber activity targeting Fortinet FortiGate devices across government & private sector organizations. Review our Alert and take immediate action to protect your organization’s systems.”

• Fortinet, March 6: “During our investigation, we observed no exploitation of FortiGate vulnerabilities. Instead, this campaign succeeded by exploiting exposed management ports and weak credentials with single-factor authentication. These attacks leveraged password spraying to gain initial access, a fairly common strategy.”

• Hong Kong Computer Emergency Response Team (HKCERT), June 18: “HKCERT alerts organisations to a recent credential leakage incident known as FortiBleed. The incident involves the exposure of data and credentials related to Fortinet firewalls and VPN devices.”

• Canadian Centre for Cyber Security, June 18: “FortiBleed leak of thousands of compromised credentials impacting Fortinet devices”