Blog

Archives
Categories

Attackers Are Breaking Into Firewalls Using Old Passwords: Fortinet Devices Targeted Worldwide

Attackers Are Breaking Into Firewalls Using Old Passwords Fortinet Devices Targeted Worldwide

Security researchers recently uncovered a massive database containing working login credentials for tens of thousands of Fortinet firewalls and VPN appliances across 194 countries. The campaign, now being called FortiBleed, isn’t exploiting a new software vulnerability. Instead, attackers are gaining access the simplest way possible: by logging in with passwords that organizations never changed.

Why Old Passwords Are a Major Cybersecurity Risk

That detail is the real story.

Your firewall serves as the barrier between the public internet and your business network. It protects sensitive assets including customer records, financial systems, email accounts, internal files, and critical infrastructure.

But if attackers already have the administrator password, the firewall itself becomes irrelevant.

How the FortiBleed Campaign Works

Researchers say attackers are scanning the internet for exposed Fortinet firewalls and VPN devices. Once discovered, they attempt to log in using credentials leaked during previous data breaches.

Unfortunately, many of those passwords still work.

Organizations often fail to rotate credentials after a breach, leaving old passwords active for months or even years. In many cases, compromised accounts include generic administrator logins or factory-default accounts that were never renamed or disabled.

The Attack Doesn’t Stop at Initial Access

Once attackers gain access to a firewall, they can turn it into a surveillance point inside the network.

Compromised devices may be used to:

– Capture additional credentials passing through network traffic
– Monitor user activity
– Establish persistent access
– Harvest passwords for future attacks
– Expand into other systems and networks

The result is a self-sustaining cycle where stolen credentials from one victim help compromise the next.

Fortinet’s Response

Fortinet has pushed back on some of the reporting around the incident.

The company states that the exposed credentials appear to be tied to older breaches and password-spraying activity rather than a newly discovered vulnerability. According to Fortinet, the campaign is not associated with any new security advisory or software flaw.

While that distinction matters technically, it offers little reassurance to organizations still using the same administrative credentials they set years ago.

The reality is simple: old passwords are the fuel powering this campaign.

 

How Many Devices Have Been Compromised?

The numbers continue to evolve.

SOCRadar initially reported more than 30,000 compromised devices before later revising the estimate upward. Other researchers, including cybersecurity expert Kevin Beaumont working alongside Hudson Rock, estimate the number could be closer to 75,000 internet-facing Fortinet firewalls.

Regardless of which figure proves most accurate, the takeaway is clear:

Tens of thousands of organizations may be vulnerable.

1. Rotate All Administrative Passwords
Change firewall administrator credentials and VPN account passwords, especially if they have not been updated recently.

2. Enable Multi-Factor Authentication (MFA)
MFA prevents attackers from gaining access with a stolen password alone.

3. Restrict Management Interface Access
Administrative portals should never be openly accessible from the public internet unless absolutely necessary.

4. Restrict Management Interface Access
Look for:
– Logins from unfamiliar locations
– Access attempts outside normal business hours
– Repeated authentication failures
– Unexpected administrator activity

Basic Security Hygiene Still Matters

There is nothing sophisticated about the defenses needed to stop this campaign.

Password rotation, multi-factor authentication, restricted management access, and log monitoring are fundamental cybersecurity practices. Yet attackers continue to succeed because many organizations neglect these basics.

The FortiBleed campaign is betting that businesses skipped the fundamentals.

Don’t prove them right.

Is Your Firewall Exposed?

If you’re unsure when your firewall credentials were last changed, whether your management interface is publicly accessible, or if your organization has been exposed to credential theft, now is the time to find out.

A security posture assessment can quickly identify risks before attackers do.

Schedule a security scan today: Contact Us