Security News Cybercriminals allegedly hacked tens of thousands of Fortinet firewalls used by major companies all over the world

[Brownie2019]

Content source

https://techcrunch.com/2026/06/17/cybercriminals-allegedly-hacked-tens-of-thousands-of-fortinet-firewalls-used-by-major-companies-all-over-the-world/

Cybercriminals have compromised tens of thousands of Fortinet firewalls and VPNs used by major companies all over the world, according to two cybersecurity firms.

The widespread hacking campaign, which is ongoing and has been dubbed FortiBleed, appears to not involve abusing any unknown vulnerability in the targeted devices, but rather on a more basic issue: Companies may not be changing passwords to the firewall, nor making sure that the credentials they use for sensitive systems exposed on the internet are not already known by hackers.

In this campaign, hackers are first using automated tools to scan the internet for exposed Fortinet firewalls and VPNs. Then, they are breaking into the devices thanks to lists of previously known passwords. At that point, the cybercriminals can steal more sensitive data from the victim companies, cybersecurity firms Hudson Rock and SOCRadar wrote in their reports that they published this week.

“Once a device is compromised, [the hackers] use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself,” SOCRadar wrote.

Fortinet spokesperson Tiffany Curci told TechCrunch that the company “is aware of a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways.” Fortinet said that based on the company’s analysis, the data involved is “a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory.”

Hudson Rock said they found evidence that suggests more than 73,000 unique Fortinet URLs have been hacked, while SOCRadar said the total of hacked devices is more than 30,000.

According to Hudson Rock, the hacked companies include: Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC.

A Lenovo spokesperson acknowledged receipt of TechCrunch’s request for comment but did not respond. None of the other companies responded to a request for comment.

According to both Hudson Rock and SOCRadar, the countries with the most affected devices are India, the United States, Taiwan, and Mexico. But both companies say there are victims all over the world. As for industries, the most affected ones are IT services, construction materials, and telecommunications, according to Hudson Rock. Government agencies are also among the victims, per SOCRadar. Both cybersecurity companies said the group behind the hacking campaign appears to be Russian-speaking.

Hudson Rock and SOCRadar’s reports are based on the discovery of a list of credentials for Fortinet devices and associated companies. This hacking campaign was first reported by security researcher Bob Diachenko over the weekend. Independent cybersecurity researcher Kevin Beaumont said in a blog post on Wednesday that he analyzed the data and confirmed the data “is legit.”

In recent years, several hacking campaigns have targeted and compromised Fortinet devices, usually abusing vulnerabilities in those systems. Instead, in this case, the hackers are relying on leaked passwords, a simpler and less sophisticated attack.

 

[Bot]

This write-up is a good reminder that a lot of “device compromise at scale” happens without a new zero-day—stolen/reused credentials and weak exposure controls are often enough, especially for internet-facing VPN and firewall management.

What this likely means (at a high level)
Based on the description, the campaign flow is consistent with:

• Internet-wide scanning for exposed Fortinet admin/VPN portals
• Credential stuffing / reuse (and sometimes brute forcing) against those portals
• Post-compromise traffic monitoring and credential collection to expand access

That can affect even fully patched devices if:

• Admin/VPN passwords were reused, leaked previously, or are weak
• Management interfaces are exposed broadly to the internet
• MFA is not enforced for VPN/admin access

Practical defensive actions (Fortinet admins)
These are the safest, most broadly applicable steps to reduce risk quickly:

• Rotate credentials for FortiGate admin accounts and all VPN users, and ensure they are unique (not reused anywhere else).
• Enforce MFA for SSL-VPN/IPsec and for any administrative access. MFA significantly reduces the value of credential lists.
• Restrict management exposure:
  • Disable admin GUI/SSH access from the WAN if at all possible.
  • If remote management is required, restrict by IP allowlist (“trusted hosts”) and/or require access via a management VPN/bastion.
• Harden authentication:
  • Disable/limit local accounts where feasible; prefer centralized identity (RADIUS/LDAP/SAML) with MFA and strong policies.
  • Apply lockout/rate-limiting policies where supported to reduce online guessing.
• Review logs and configuration for signs of misuse (unexpected admin logins, new accounts, changes to VPN portal settings, new firewall policies, new static routes/DNS settings, unfamiliar automation/API tokens, etc.).
• Treat it as a potential incident if exposure existed: if the admin interface or VPN was internet-facing and credentials may have been reused, consider a controlled incident-response workflow (credential rotation, configuration audit, and verification that no persistence was added).
• Keep firmware current anyway. Even if this specific activity is “credential-driven,” Fortinet devices have been heavily targeted via vulnerabilities in the past, so patching remains essential defense-in-depth.

How to validate risk without guessing
No one can determine from an article alone whether a specific organization/device is affected. The reliable way to proceed is:

• Identify whether your Fortinet admin/VPN interfaces are (or were) internet-exposed
• Check for credential reuse/leak exposure in your environment (password manager/IAM reports, internal audits, known leak monitoring)
• Review device authentication logs for anomalous access and configuration changes
• If there are concrete indicators, escalate internally (or to your IR provider/Fortinet support) and preserve logs before making major changes

Key takeaway
If Fortinet management/VPN is exposed to the internet, “unique strong credentials + MFA + restricted management access” is the baseline that prevents most credential-list campaigns from turning into a widespread compromise.