FortiBleed leak exposes VPN credentials for nearly 74,000 Fortinet firewalls
A newly surfaced dataset dubbed FortiBleed exposes what appear to be Fortinet and FortiGate VPN credentials tied to 73,932 firewall URLs at organizations around the world. Separately, researchers at SOCRadar report roughly 30,000 compromised Fortinet firewalls exposing networks to attack. Exposed VPN credentials are a direct route into corporate networks, letting attackers log in as legitimate users, bypass perimeter defenses, and stage ransomware or data theft. Fortinet gear is a perennial target, with many of these exposures stemming from past unpatched flaws and credential harvesting. Organizations cannot assume old Fortinet credentials are safe just because devices were later patched.
- Check
- Check whether your Fortinet or FortiGate VPN appliances appear in the exposed dataset, review VPN authentication logs for logins from unfamiliar locations, and confirm whether previously exposed devices were fully remediated.
- Affected
- Organizations running internet-facing Fortinet and FortiGate VPNs whose credentials appear among the 73,932 exposed firewall URLs; reused or never-rotated VPN passwords are most at risk.
- Fix
- Force-reset all Fortinet VPN credentials, enable phishing-resistant MFA on VPN access, restrict management interfaces, and fully patch or replace appliances, treating any potentially exposed device as compromised until verified.