BusinessCybersecurityNewswireTechnologyWhat's Buzzing

CISA Urges Fortinet Users to Patch After FortiBleed Leak

Originally published on: June 20, 2026
▼ Summary

– CISA warned Fortinet customers after nearly 74,000 firewall and VPN credentials were exposed in a data leak called “FortiBleed,” targeting internet-accessible devices worldwide.
– The agency advised affected users to terminate SSL VPN and admin sessions, reset passwords, enable phishing-resistant MFA, and review logs for unauthorized access.
– Security researcher Volodymyr Diachenko discovered a server containing valid Fortinet VPN credentials for 73,932 firewall URLs, including usernames, emails, and plaintext passwords.
– The leaked dataset spans 194 countries and 21,632 domains, affecting organizations like Samsung, Mercedes-Benz, and government agencies across sectors such as healthcare and finance.
– A Russian-speaking threat group is linked to the operation, which made 1.16 billion credential attempts against over 320,000 FortiGate targets to intercept SSL VPN authentication hashes.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent call for Fortinet users to secure their systems following the exposure of nearly 74,000 firewall and VPN credentials in a data breach known as FortiBleed. This incident has drawn significant attention from cybersecurity authorities worldwide.

The warning comes after malicious actors leveraged compromised credentials to target internet-accessible Fortinet devices across both government and private-sector organizations globally. CISA emphasized the severity of the situation in a statement, noting that “malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials.” The agency further explained that this activity, dubbed FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways.

In response, CISA has urged affected FortiGate appliance owners to take immediate action. This includes terminating all SSL VPN and administrative sessions, resetting all VPN and administrative passwords, and enabling phishing-resistant multifactor authentication. Administrators should also review logs for signs of unauthorized access or lateral movement. Additionally, CISA recommended storing admin credentials using the modern Password-Based Key Derivation Function 2 (PBKDF2) hashing algorithm, restricting firewall management interfaces from public internet access, and removing any unauthorized accounts to minimize the attack surface.

The FortiBleed data leak was uncovered by security researcher Volodymyr “Bob” Diachenko, who discovered a server containing what appeared to be valid Fortinet VPN credentials. The leaked data included usernames, email addresses, and plaintext passwords for 73,932 firewall URLs worldwide. It also contained information about each organization’s industry, revenue, and employee count, which Diachenko suggested was compiled to assist in planning future attacks.

Threat intelligence company Hudson Rock, which analyzed the dataset, described it as one of the largest known collections of compromised Fortinet credentials. The data spans 21,632 unique domains and 194 countries. Among the organizations represented are major corporations like Samsung, Mercedes-Benz, Foxconn, Chevron, Comcast, AT&T, and Toyota, as well as numerous government agencies and critical infrastructure operators in telecommunications, healthcare, financial services, and manufacturing. The highest number of affected devices were from India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.

Diachenko also linked the operation to a Russian-speaking threat group that allegedly conducted approximately 1.16 billion credential attempts against more than 320,000 FortiGate targets to intercept SSL VPN authentication hashes. The source of the configuration data remains unknown. Cybersecurity expert Kevin Beaumont independently confirmed the authenticity of some credentials and noted that most affected devices remain online. “The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data,” Beaumont stated, adding that the leaked data likely originated from Fortinet configuration files.

The exact source of the breach remains unclear, with possibilities including exploitation of previously disclosed Fortinet vulnerabilities, a newly discovered security flaw, or another method. To assist organizations, Hudson Rock has created a free FortiBleed lookup tool for checking potential exposure. Meanwhile, on Monday, threat intelligence company Defused reported that several critical vulnerabilities in Fortinet’s FortiSandbox cyber threat detection platform are now being exploited in attacks. In total, CISA tracks 26 Fortinet security flaws that have been exploited in the wild in recent years, with 13 of them abused in ransomware attacks.

(Source: BleepingComputer)

Topics

fortibleed data leak 98% cisa advisory 95% compromised credentials 93% cybersecurity threats 91% mitigation measures 89% russian-speaking threat group 87% affected organizations 85% geographic distribution 83% password security 81% vpn vulnerabilities 79%