A database is circulating with the passwords of around 74,000 Fortinet firewalls (the barrier that filters everything entering and leaving a network), spread across 194 countries and 21,632 domains. These are not attempts: they are 86,644 username-and-password pairs tested and confirmed as working, which, according to estimates cited by the specialist press, amounts to roughly half of all Fortinet FortiGate devices exposed to the internet. On 18 June, CISA, the United States government's cybersecurity agency, issued an alert urging anyone running these devices to reset every password immediately. The case has been named FortiBleed.
The detail that matters is not the number, however round it sounds. It is that nobody broke in. The firewall exists precisely to guard the door to the network, and it was the firewall that handed over the keys. And it was not because of some brilliant new flaw: it was because of a password stored weakly, inside a device everyone assumed was safe because it was "updated".
The attackers' exposed server was identified by researcher Volodymyr "Bob" Diachenko and analysed by firms such as SOCRadar and Hudson Rock. The data was organised by country, sector and even company size, ready to sell, and at least four organisations are already considered fully compromised. The list includes names such as Samsung, Mercedes-Benz, Toyota and AT&T, alongside public bodies in telecommunications, healthcare and finance. Behind the operation is a Russian-speaking, multi-operator group credited with roughly 1.16 billion access attempts against more than 320,000 Fortinet devices, plus another 2.1 billion against Microsoft SQL database servers. The encrypted passwords they harvested were cracked on a 45-GPU cluster managed with Hashtopolis, a tool that splits that work across many machines in parallel.
How the firewall turned on the network
The mechanism is what makes this so uncomfortable. The attackers intercepted the encrypted tokens that prove the identity of anyone connecting over the VPN (the encrypted tunnel used to reach the network from outside). For years, Fortinet stored administrator passwords as SHA-256, a fast way of encrypting that, from a stolen configuration file, can be cracked by brute force in little time, that is, by trying millions of combinations until one fits. The company has since moved to PBKDF2, a deliberately slow and far more resistant method, in FortiOS versions 7.2.11, 7.4.8 and 7.6.1. The catch is the migration: when you upgrade from an earlier version, the old password stays stored in the weak format until the administrator logs in with it again. As a result, thousands of "updated" devices kept the old safe sitting inside, untouched. There is even an option to wipe those leftovers, login-lockout-upon-weaker-encryption, that most people never switched on.
The exact entry vector is still unconfirmed, but known and unpatched flaws in the FortiGate's own SSL VPN, such as CVE-2024-21762 (a serious flaw disclosed in February 2024 that allows code execution without any credentials at all), are the kind of door that gives access to this data. Once inside, the compromised firewall becomes a listening post: it watches the VPN traffic passing through it, collects the credentials of everyone connecting, and feeds them back to the attack engine to compromise still more devices. From there, the move is into the organisation's Windows network, aiming to reach the domain controller, the server that holds every account and password, and pull out the full database of those credentials. It is a machine that feeds itself.
Why this should keep you up at night
In any serious investigation, the first question is whether the chain of custody held, that is, whether the thing meant to safeguard the evidence was not itself tampered with. That is exactly what failed here. The device we trust most to watch the entrance was the one copying every key that passed through it. And the false sense of security did the rest: clicking "update" did not rotate the passwords, did not re-encrypt them, did nothing visible. Everything stayed the same underneath, with a "done" stamp on top.
And this is not some faraway problem. The FortiGate is among the most common devices on networks everywhere, from public administration to banking and healthcare, and national cybersecurity agencies regularly issue alerts about flaws in these very appliances. A council, a hospital or a company with its firewall exposed to the internet and never reconfigured since the last update is, right now, precisely on the target list these numbers describe.
What to do, right now
If you manage one of these devices, the order of business is clear:
- Reset every administrative and VPN password, with absolute priority for those reachable from the internet.
- Terminate all VPN and administrative sessions still open, to evict anyone already inside.
- Force a fresh login after upgrading, so the password is re-saved as PBKDF2; on FortiOS 7.2 and 7.4, switch on
login-lockout-upon-weaker-encryption, which clears the SHA-256 leftovers. - Require phishing-resistant two-step authentication on all administrative accounts.
- Take the firewall's management interface off the public internet and keep it reachable only from inside.
- Review the logs for unfamiliar access and accounts you do not recognise; at any suspicious login, assume the device is compromised and treat it as such.
The lesson of FortiBleed is not in the flaw nobody saw. It is in the trust nobody questioned. A firewall is not the castle; it is the gatekeeper. And a gatekeeper holding the whole ring of keys, whose lock nobody has changed in years, is the worst thing you can have at the entrance to your network.
Sources: CISA, SOCRadar, BleepingComputer, SecurityWeek.
#StaySafe
🙏🖖
