SharkStriker’s Threat Intelligence researchers are monitoring reports of a large-scale campaign, commonly referred to as FortiBleed, involving the exposure and compromise of administrative credentials associated with Fortinet FortiGate firewalls and VPN gateways deployed across organizations worldwide.

Fortinet FortiGate appliances are widely used network security devices that provide firewall protection, VPN connectivity, intrusion prevention, web filtering, application control, and network segmentation capabilities. Because these devices sit at the perimeter of enterprise environments, they are considered high-value targets for cybercriminals and advanced threat actors.

Recent threat intelligence reporting indicates that attackers have obtained access to a significant number of Fortinet firewall configurations and associated administrative credentials. The exposed data appears to contain verified credentials capable of providing direct administrative access to affected devices.

Through this blog, we will understand what the FortiBleed threat is about and some of the security actions that organizations can take to prevent/respond to the threat.  

About the threat

How are attackers leveraging the FortiBleed leak?

Threat actors possessing valid administrative credentials may be able to authenticate directly to exposed Fortinet management interfaces and obtain privileged access to the device.

Once authenticated, attackers may gain the ability to modify security policies, create unauthorized accounts, alter VPN configurations, disable security controls, and potentially establish persistence within the environment.

Because the reported credentials are believed to be valid administrative credentials, exploitation may require minimal effort where management interfaces remain accessible.

The attackers can use the FortiBleed leak to:

• Gain unauthorized administrative access
• Manipulate firewall policy
• Tamper VPN configuration
• Create backdoor for admin accounts
• Bypass security controls in place
• Monitor network traffic
• Harvest credentials
• Move laterally into internal environments
• Establish mechanisms for persistence
• Deploy ransomware
• Exfiltrate data
• Carry out cyber espionage campaigns
• Disrupt operations

SharkStriker’s recommendations

To reduce the risk associated with the FortiBleed campaign, SharkStriker recommends implementing the following defensive measures:

Rotate Administrative Credentials Immediately

• Reset all Fortinet administrative passwords and review credential management practices.

Enable Multi-Factor Authentication (MFA)

Require MFA for:

• Administrative users
• VPN users
• Privileged accounts
• Remote management access

Restrict Administrative Access

Implement additional security controls including:

• VPN-only administrative access
• IP allowlisting
• Network segmentation
• Dedicated management networks
• Zero Trust access controls

Perform a Compromise Assessment

Review the following for evidence of unauthorized access:

• Administrative login activity
• Configuration change logs
• User creation events
• VPN access records
• Security event telemetry
• Firewall audit logs

Monitor for Suspicious Activity

Investigate for:

• Unexpected administrator logins
• New administrator accounts
• Policy modifications
• Security feature disablement
• VPN configuration changes
• Unusual outbound connections

 Validate Security Infrastructure

Review connected systems and integrations for signs of compromise, including:

• SIEM platforms
• Identity providers
• VPN infrastructure
• Endpoint security platforms
• Security monitoring solutions

Strengthen Detection Coverage

Ensure monitoring solutions can detect:

• Unauthorized administrative access
• Privilege escalation activity
• Configuration modifications
• Suspicious authentication attempts
• Persistence mechanisms
• Lateral movement behavior

Maintain Continuous Monitoring

• Organizations should maintain heightened monitoring of Fortinet infrastructure and administrative activity until security reviews and credential rotations have been completed.

SharkStriker’s SOC team has:

• Reviewed publicly available threat intelligence related to the FortiBleed campaign.
• Assessed potential risks associated with exposed Fortinet administrative credentials.
• Evaluated likely attack scenarios involving perimeter security infrastructure.
• Issued awareness guidance to support proactive risk reduction efforts.
• Recommended enhanced monitoring and compromise assessment activities for organizations operating Fortinet devices.
• Continuing to monitor developments and emerging intelligence related to this campaign.