CISA issues alert on active threats emerging from FortiBleed data leak

A major security incident known as FortiBleed has exposed credentials linked to approximately 74,000 Fortinet devices, and attackers are already leveraging this data to compromise systems globally.

On June 18, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an urgent alert after the discovery of a large dataset containing login credentials for Fortinet firewalls and VPN gateways. The agency confirmed that malicious actors are actively using the leaked credentials to target internet-facing Fortinet appliances across both public-sector and private organizations worldwide.

The exposed data came to light when security researcher Bob Diachenko identified an unsecured server hosting what appeared to be valid Fortinet VPN credentials. The dataset included sensitive information such as usernames, email addresses, and plaintext passwords belonging to numerous organizations. Following further investigation, cybersecurity expert Kevin Beaumont, along with researchers from Hudson Rock, confirmed the authenticity and scale of the leak, linking it to tens of thousands of active devices.

Analysis revealed that the dataset likely originated from exported device configuration files rather than simple credential harvesting. This distinction is critical, as configuration exports contain deeper system-level information that typically requires direct access to the device itself. While the initial point of compromise remains unclear, it could be tied to previously known Fortinet vulnerabilities or potentially undisclosed attack methods.

Researchers verified that many of the credentials remain valid and usable, with the majority of affected devices still accessible online. The dataset appears to cover a significant portion of internet-exposed Fortinet infrastructure, greatly expanding the potential attack surface. In addition, exposed management interfaces on many devices further increase the risk of exploitation.

The data spans organizations across nearly 200 countries and includes thousands of domains, among them major corporations, government entities, and critical infrastructure operators. The scale and structure of the dataset suggest it was assembled with the intent of resale or coordinated exploitation, rather than for isolated use.

Further investigation uncovered that the attackers themselves left behind exposed infrastructure containing operational tools, logs, and scripts. This provided rare insight into their methods, revealing large-scale credential-cracking operations using high-performance GPU clusters. Billions of login attempts were reportedly conducted against Fortinet devices and other systems, including Microsoft SQL servers, indicating a highly organized and resource-intensive campaign.

In some confirmed cases, compromised systems allowed attackers to gain full administrative access, enabling them to manipulate firewall settings, move laterally within networks, and extract sensitive data. Reports also indicate incidents involving the theft of confidential information from targeted organizations.

The risk is compounded by weaknesses in how credentials are stored on some devices. While newer Fortinet firmware uses stronger hashing mechanisms, many systems continue to rely on older methods that are more vulnerable to brute-force attacks, especially when configuration files are exposed.

To help organizations assess their exposure, security firms have released tools for checking whether their domains appear in the leaked dataset. However, CISA stresses that proactive response is essential.

The agency recommends immediate action, including terminating all active sessions, resetting all administrative and VPN credentials, and enabling multi-factor authentication preferably phishing-resistant implementations. Organizations should also review logs for suspicious activity, upgrade to the latest firmware, and ensure that management interfaces are not unnecessarily exposed to the internet.

If any signs of unauthorized access are detected, organizations are advised to treat the system as fully compromised. In such cases, simply rotating credentials may not be sufficient, as attackers could have altered configurations or established persistent backdoor access.

The FortiBleed incident highlights the significant risks posed by exposed credentials and underscores the importance of strong configuration management, timely updates, and robust access controls in securing critical network infrastructure.