HomeIntelligenceBrief
BREACH BRIEF🟠 High Advisory

Global Credential‑Stuffing Campaign Leaks Fortinet Firewall and VPN Login Database

Threat actors have leaked a credential database after brute‑forcing FortiGate firewalls and SSL‑VPN portals. Organizations with internet‑exposed Fortinet devices must verify exposure and harden access controls – a scenario SOC 2 access‑control requirements are built to address.

LiveThreat™ Intelligence · 📅 June 19, 2026· 📰 ncsc.gov.uk
🟠
Severity
High
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
ncsc.gov.uk

Global Credential‑Stuffing Campaign Leaks Fortinet Firewall and VPN Login Database

What Happened — Threat actors have harvested a database of usernames and passwords after brute‑forcing, dictionary, and credential‑stuffing attacks against internet‑facing FortiGate firewalls and SSL‑VPN portals. The leaked credentials are being used to attempt unauthorized access to Fortinet edge devices worldwide, with early indications of impact in the UK.

Why It Matters for Compliance & Audit Readiness

  • The incident exemplifies a failure of access‑control hygiene that SOC 2 CC6 (Logical Access) is designed to prevent and evidence.
  • Continuous monitoring of privileged account activity and immutable log collection are essential to demonstrate due diligence during an audit.
  • Verisq’s SOC 2 Access‑Control capability provides automated evidence of credential‑change workflows, MFA enforcement, and anomalous login detection to satisfy audit requirements.

Who Is Affected – Organizations that deploy Fortinet firewalls or SSL‑VPN gateways, across sectors such as technology SaaS, financial services, healthcare, and government.

Recommended Actions

  • Run Hudson Rock’s FortiBleed Checker against all public‑facing Fortinet assets.
  • Verify device ownership and inspect logs for unauthorized account creation or unusual traffic.
  • If compromise is suspected, isolate the device, collect configuration and log artefacts, then perform a factory reset.
  • Harden re‑commissioned devices: remove internet‑exposed management interfaces, apply the latest firmware, retire out‑of‑support models, and enforce MFA for all admin accounts.
  • Update SOC 2 access‑control policies to require unique, high‑entropy passwords and regular credential rotation for network devices.

Source: NCSC UK advisory

Technical Notes – Attack vector: credential stuffing using leaked password sets; primary IoCs include new local accounts, anomalous VPN logins, and configuration changes not aligned with change‑management records. No specific CVE is cited; the risk stems from weak password reuse and exposed management interfaces. Source: NCSC advisory

📰 Original Source
https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →