FortiBleed Exposes Credentials for About 74,000 Fortinet Devices

FortiBleed is not a routine patch notice. Security researchers and multiple specialist publications report a large leak of Fortinet and FortiGate credentials affecting around 74,000 firewall and VPN targets worldwide. BleepingComputer cites 73,932 firewall URLs, while Help Net Security reports that credentials from configuration files of nearly 74,000 Fortinet firewalls and VPN gateways were stolen.

For businesses, the key point is simple: if VPN or administrator passwords are still valid, attackers do not need a new vulnerability. They can try to log in like a legitimate user. A patched firewall does not automatically protect a company if the front-door key has already been stolen.

Why FortiBleed is not a normal CVE story

Many security alerts follow a familiar pattern: vulnerability, CVE number, install the patch. FortiBleed does not fit neatly into that model. Several sources describe it primarily as a large-scale credential exposure or credential-harvesting incident, not as one newly confirmed Fortinet software flaw. CybelAngel puts it bluntly: “No CVE, no patch — just 75,000 open doors.”

That does not mean updates are optional. Fortinet devices should be running supported, current versions. But if credentials have been compromised, patching alone is not enough. Passwords, local administrator accounts, VPN users, API keys, shared secrets, and potentially other configuration values must be reviewed and rotated.

The UK’s National Cyber Security Centre has urged organisations using Fortinet services to take action following global targeting of firewalls and VPN gateways. BleepingComputer also reports that CISA warned Fortinet customers to secure their devices after nearly 74,000 firewall and VPN credentials were exposed.

What attackers can do with these credentials

FortiGate firewalls and SSL VPN gateways often sit at the edge of a company network. They decide who can connect remotely, which rules apply, and how internal systems are reached. That makes stolen Fortinet credentials especially dangerous.

With valid VPN credentials, an attacker can attempt to enter the network as if they were an employee. The usual next steps are reconnaissance, stealing more credentials, moving laterally across the network, attacking backups or security tools, and exfiltrating data. In many ransomware incidents, abused VPN access is the first step.

Administrator access to the firewall is even more serious. A firewall administrator can change rules, create accounts, alter VPN settings, affect logging, or establish hidden access. That does not just affect one appliance; it affects the company’s security boundary.

The reported scale

The numbers vary slightly, but they point to the same order of magnitude. BleepingComputer reports 73,932 firewall URLs. CSO Online and Network World report around 75,000 affected Fortinet firewalls and organisations across 194 countries. Bitsight describes the incident as one of the largest known Fortinet security incidents to date.

The nuance matters: appearing in a dataset does not automatically prove that every organisation was fully breached or that every password still works. But it is enough to treat the situation as a possible compromise. Potentially affected organisations need to review not only the firewall, but also evidence of follow-on activity inside the network.

Why Swiss SMEs should pay attention

Fortinet devices are widely used in SME and mid-market environments. Many Swiss companies do not operate their firewalls directly; they receive them through an IT service provider or managed service provider. Business owners may not know whether Fortinet is in use, whether the admin interface is exposed to the internet, whether VPN access requires MFA, or how long logs are retained.

That is why FortiBleed is a test of operational security. A serious response is not “we patched it.” It should show which devices were checked, which credentials were rotated, whether suspicious logins were found, and whether internal systems were examined for follow-on activity.

For fiduciary firms, medical practices, law offices, manufacturers, schools, construction companies, and local service providers, a compromised VPN login can be severe. Customer data, HR files, contracts, email, file servers, and ERP systems often sit only a few steps behind the firewall.

What needs to be checked now

Organisations and IT providers should treat this as a credential incident. The most important actions are:

1.Inventory Fortinet exposure: Identify all Fortinet firewalls, FortiGate devices, and SSL VPN gateways.

2.Check exposed services: Determine whether VPN portals or admin interfaces are reachable from the public internet.

3.Rotate credentials: Change administrator passwords, local accounts, VPN user passwords, API keys, and shared secrets.

4.Enforce MFA: VPN and administrator access should not rely on passwords alone.

5.Remove stale accounts: Delete former employees, test accounts, and unused administrators.

6.Harden management access: Restrict admin portals to trusted IPs or a dedicated management VPN.

7.Review logs: Look for unusual VPN logins, foreign IPs, new accounts, rule changes, and failed login bursts.

8.Hunt internally: Check Active Directory, servers, endpoints, and backups for lateral movement or suspicious tools.

9.Document the response: Management, customers, insurers, or regulators may later ask what was checked and changed.

This list is deliberately broader than “update firmware.” Updates remain necessary, but stolen passwords are not invalidated by a software update.

What IT providers should be able to prove

A managed service provider should be able to provide concrete evidence after FortiBleed:

a list of all managed Fortinet devices

firmware versions and support status

internet-facing services

MFA status for VPN and administration

timing and scope of credential rotation

disabled or removed accounts

log review period and findings

suspicious activity found or ruled out

recommended next steps

If a provider responds only with general reassurance, companies should push harder. For firewalls and VPNs, trust is not enough; operational evidence matters.

Possible data protection consequences

An exposed VPN password is not automatically a notifiable data breach. But if attackers used it to access customer data, employee records, financial documents, email, contracts, or business files, it can quickly become a privacy and reporting issue. Swiss companies may need to consider the revised Federal Act on Data Protection, contractual notification duties, sector rules, and cyber-insurance requirements.

That is why log review and internal investigation are essential. Organisations need to answer whether credentials were merely exposed or whether unauthorised access actually occurred.

The real lesson

FortiBleed shows that perimeter security is not “set and forget.” Firewalls and VPNs are critical systems. They need current software, hardened configuration, MFA, clean account management, logging, and regular review.

It is also a reminder for SMEs that outsource security: outsourcing does not transfer responsibility. Ask your IT provider whether Fortinet is in use, whether FortiBleed checks were performed, which passwords were rotated, and whether logins were analysed. If those answers are unclear, the problem is not only Fortinet. It is governance.

Sources

UK NCSC — Advice following global targeting of Fortinet firewalls and VPN gateways

BleepingComputer — FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices

BleepingComputer — CISA warns Fortinet users to secure devices after FortiBleed leak

Help Net Security — 74,000 Fortinet firewall credentials exposed in FortiBleed data leak

CybelAngel — FortiBleed: 6 Things to Know About the Fortinet Credential Leak

CSO Online — FortiBleed campaign exposes 75,000 Fortinet firewalls worldwide

Bitsight — FortiBleed Security Alert: Fortinet VPN Credentials Exposed

S-RM — Cyber threat advisory: FortiBleed campaign against FortiGate firewalls