FortiBleed Campaign Exposes Administrative & VPN Credentials for Over 73,000 FortiGate Firewalls
What Happened — A threat group released a dataset containing ~73,932 valid administrative and SSL‑VPN credentials for Fortinet FortiGate firewalls spanning 194 countries. Researchers verified that many of the credentials are authentic and that a significant number of the firewalls remain reachable on the public Internet.
Why It Matters for Compliance & Audit Readiness
- The incident is a textbook example of a credential‑compromise scenario that SOC 2 Access Control (CC6.1) and Security Awareness policies are designed to prevent and evidence.
- Continuous monitoring of privileged‑account usage and proof of credential‑rotation provide defensible audit evidence that the organization is actively managing the risk highlighted by FortiBleed.
- Leveraging Verisq’s SOC2 Access Controls capability lets you capture real‑time logs of admin‑login activity, demonstrate MFA enforcement, and generate the evidence needed for a SOC 2 audit.
Who Is Affected — Government agencies, critical‑infrastructure operators, financial services firms, healthcare providers, manufacturers, and telecom carriers worldwide.
Recommended Actions
- Immediately verify whether any of your FortiGate devices appear in the disclosed list and rotate all admin/VPN passwords.
- Enforce multi‑factor authentication on all privileged accounts and restrict management‑plane access to trusted IP ranges or VPNs.
- Deploy continuous credential‑use monitoring and integrate logs into your SOC 2 evidence collection pipeline.
- Conduct a gap analysis against SOC 2 CC6.1 (Logical Access) and remediate any policy or technical deficiencies.
Source: Recorded Future – FortiBleed Campaign
Technical Notes
- Attackers performed >1 billion credential‑guess attempts against FortiGate interfaces and >2 billion attempts against MSSQL servers, then used a 45‑GPU Hashtopolis cluster to crack SSL‑VPN hashes offline.
- The leaked data likely originated from exported FortiGate configuration files, enabling offline password recovery without ongoing device access.
- Affected devices were running recent FortiOS versions but still exposed management interfaces to the Internet.