
CISA has warned Fortinet customers to secure their FortiGate devices. The warning follows a large campaign called FortiBleed.
The campaign targets Fortinet devices that are exposed to the internet. These devices include firewalls and VPN gateways.
The risk is serious because FortiGate devices often protect the edge of a network. If attackers gain access, they may use the device as an entry point.
What Is FortiBleed?
FortiBleed is a cyber campaign that targets Fortinet firewalls and VPN gateways. The attackers use weak, leaked, or reused credentials.
First, they scan the internet for Fortinet login endpoints. Then, they test known username and password combinations.
If the login works, the attackers can monitor traffic. After that, they may collect more credentials and use them to attack other devices.
Why This Attack Matters
This campaign is dangerous because the attackers use valid credentials. As a result, their activity may look like normal login activity.
Also, many organizations still use default accounts. Some teams also forget to rotate old passwords.
In many cases, password reuse makes the problem worse. One leaked password can open access to several systems.
Most Affected Sectors
The campaign has affected many industries. Telecom, government, and education are among the top impacted sectors.
The exposure also appears across several countries. India, the United States, Mexico, Colombia, and Thailand are listed among the most affected locations.
However, the risk is not limited to those countries. Any organization with internet-facing FortiGate devices should review its security.
Weak Passwords Increase the Risk
FortiBleed shows that poor password hygiene remains a major issue. Attackers do not always need a complex exploit.
Instead, they can try leaked passwords. They can also use brute-force attacks, dictionary attacks, or credential stuffing.
Older password storage methods may also increase risk. Some upgraded systems may still keep older admin password hashes until the admin logs in again.
CISA’s Recommended Actions
CISA recommends several urgent steps. First, organizations should terminate all active SSL VPN and admin sessions.
Next, they should reset all Fortinet VPN and admin passwords. This is especially important for internet-facing systems.
Organizations should also enforce strong password policies. In addition, they should enable phishing-resistant MFA on external gateways and admin interfaces.
Fortinet’s Additional Guidance
Fortinet also recommends fast action. Teams should stop all admin and VPN sessions, then reset credentials.
After that, they should enable MFA. They should also upgrade FortiOS to the latest supported versions.
Access to management interfaces should be restricted. A safer setup uses trusted hosts, local-in policy, or no public internet admin access at all.
What IT Teams Should Check
IT teams should review firewall, VPN, authentication, and domain controller logs. They should look for suspicious logins and unauthorized changes.
They should also check for unknown admin accounts. Unusual access from unknown IP addresses should receive special attention.
If AD or LDAP integration is active, teams should treat related accounts as high risk. They should also monitor for lateral movement inside the network.
Key Takeaway
FortiBleed is a serious reminder for Fortinet customers. Firewalls and VPN gateways need strong protection.
Organizations should reset credentials, enable MFA, upgrade FortiOS, and restrict management access. They should also review logs for signs of compromise.
In the end, this campaign shows a simple truth. Weak credentials can create a major path for attackers.
Source: https://thehackernews.com/2026/06/cisa-warns-fortinet-customers-as.html
