What is the FortiBleed Fortinet firewall hack?

FortiBleed is a reported campaign targeting exposed Fortinet firewalls and VPNs by trying previously known passwords, rather than exploiting a new unknown Fortinet flaw.

How did attackers allegedly compromise Fortinet firewalls and VPNs?

Cybersecurity firms said attackers scanned the internet for exposed Fortinet devices and tested lists of already known passwords against them.

How many Fortinet devices were reportedly affected by FortiBleed?

Hudson Rock reported more than 73,000 unique Fortinet URLs, while SOCRadar reported more than 30,000 hacked devices.

What could hackers do after compromising a Fortinet device?

Researchers said attackers could use a compromised device as a listening post to monitor traffic and collect additional credentials, which could then help compromise more devices.

Were major companies named in the Fortinet firewall hack reports?

Yes. Hudson Rock said affected companies include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC, but the article says a compromised device does not automatically prove a full internal breach.

Old Passwords Breach Giants in Fortinet Firewall Hack

That is the sharper lesson inside the FortiBleed reports: edge security gear can become the shortest path into a company when credentials are stale, reused, or left exposed on the internet, according to TechCrunch. The companies most exposed are those that treat firewall credentials as setup details rather than production secrets.

Fortinet Firewall Hack Shows Password Reuse Can Beat Expensive Perimeter Gear

The campaign, dubbed FortiBleed, reportedly targets Fortinet firewalls and VPNs used by major companies worldwide. The striking detail is what researchers say the hackers did not use: an unknown Fortinet vulnerability.

Instead, cybersecurity firms Hudson Rock and SOCRadar said attackers scanned the internet for exposed Fortinet devices, then tried lists of previously known passwords. Once inside, they could monitor passing traffic and collect more credentials.

“Once a device is compromised, [the hackers] use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself,” SOCRadar wrote.

The operational question for security teams is blunt: which old password still opens a front door?

XOOMAR analysis: this is the worst kind of perimeter failure because it does not require attackers to defeat advanced controls. It punishes companies for weak credential rotation, exposed login surfaces, and incomplete cleanup after earlier incidents.

Fortinet Customers Face a Scale Problem, Not a Simple Patch Problem

The reported numbers are large, but they need careful reading.

Source cited in reporting	Reported scale	What it suggests
Hudson Rock	More than 73,000 unique Fortinet URLs	A very large set of allegedly compromised or exposed Fortinet access points
SOCRadar	More than 30,000 hacked devices	A smaller but still global count of affected devices
Both firms	Victims in India, the United States, Taiwan, and Mexico among the most affected	The campaign is not confined to one region

A compromised device does not automatically prove every named company suffered a full internal breach. It does mean attackers may have gained valid access to infrastructure that sits at the edge of the network.

That matters because VPN and firewall access can sit close to sensitive systems. From there, a valid login may support reconnaissance, credential collection, and access to internal services. TechCrunch reported that the firms said hackers could steal more sensitive data from victim companies after breaking into devices.

How much damage follows from one working firewall password? The supplied reporting does not answer that for every victim. It does, however, show why the first login matters.

Hudson Rock said affected companies include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC. TechCrunch reported that a Lenovo spokesperson acknowledged receipt of a request for comment but did not respond, and that the other named companies did not respond.

Russian-Speaking Actors Allegedly Built a Self-Feeding Credential Machine

Both Hudson Rock and SOCRadar said the group behind the campaign appears to be Russian-speaking. That wording matters. It is an indicator, not proof of nationality, state direction, or motive.

The alleged playbook is efficient:

Scan: Find exposed Fortinet firewall and VPN interfaces.
Test: Try known passwords through automated tools.
Collect: Capture credentials flowing through compromised devices.
Repeat: Feed newly collected passwords back into the scanner.

The key question is not whether the attackers had a rare exploit, but why so many credentials still worked.

XOOMAR analysis: credential-based access is attractive because it can resemble normal authentication. A login with a real password may not trigger the same alarms as malware or exploit traffic. That shifts the burden from patch management alone to identity hygiene, log review, and rapid retirement of exposed credentials.

For companies reviewing credential habits, our guide to Password Manager vs Browser Password Manager, Who Wins? is a useful companion, especially where shared admin passwords or stored browser credentials still exist in operational workflows.

Fortinet’s Response Draws a Line Between Product Flaw and Customer Exposure

Fortinet told TechCrunch it was aware of the reported campaign and framed it as a credential issue, not a new advisory.

Fortinet spokesperson Tiffany Curci told TechCrunch that the company “is aware of a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways.”

Fortinet also said that, based on its analysis, the data involved is “a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory.”

That distinction is commercially and technically important. If Fortinet is right, the urgent fix is not waiting for a patch. It is rotating credentials, locking down exposed interfaces, and checking whether old data has been reused successfully.

But customers will still ask a harder question: how should edge vendors help when old credentials become live attack material again?

This is where FortiBleed sits alongside other Fortinet-related edge risks without being the same thing. The separate issue covered in Hackers Pounce on Fortinet FortiSandbox Bugs After Patches centers on patched vulnerabilities in FortiSandbox. FortiBleed, by contrast, is reported as a credential-harvesting campaign against Fortinet firewalls and VPN gateways.

CISOs Should Treat Firewall Passwords Like Breached Production Secrets

For CISOs, the action list is narrower than the headline but still painful. This is not only a question of whether Fortinet devices are patched. It is whether any valid credential from an earlier incident, leak, or password reuse pattern can still authenticate.

Practical checks should start with:

Credential rotation: Reset firewall admin, VPN, and related directory credentials.
Exposure review: Confirm whether management interfaces are reachable from the public internet.
Access audit: Review recent logins, unusual login times, and unexpected source locations.
Configuration review: Look for unauthorized admin accounts, VPN changes, and unexplained firewall rule changes.
Traffic review: Investigate whether compromised devices may have collected additional credentials.

The question for executives is simple: would the company know if a branch firewall had been quietly accepting an old password?

XOOMAR analysis: boards should treat perimeter device hygiene as a control issue, not an IT housekeeping chore. A neglected firewall or VPN gateway can weaken the value of other security investments because it sits upstream of them.

The Next Firewall Crisis May Start With Yesterday’s Password

The forward signal from FortiBleed is clear enough without overstating the case: attackers can keep extracting value from old Fortinet-related credential data if organizations do not retire it.

Security researcher Bob Diachenko first reported the campaign over the weekend, according to TechCrunch. Independent researcher Kevin Beaumont later said he analyzed the data and confirmed it “is legit.” That combination gives the reports more weight, even as individual victim impact remains unclear.

The evidence to watch now is concrete:

Fortinet customer guidance: Whether Fortinet issues more detailed steps for affected customers.
Victim confirmation: Whether named organizations acknowledge device compromise or rule it out.
Credential freshness: Whether the exposed passwords are still active across affected environments.
Follow-on abuse: Whether researchers find data theft tied to specific compromised devices.

If the thesis holds, the next major firewall incident will not require a new exploit. It will start when an old password, left alive too long, turns perimeter security into attacker infrastructure.

Impact Analysis

The alleged FortiBleed campaign shows that reused or stale passwords can bypass expensive perimeter defenses.
Compromised firewalls and VPNs can let attackers monitor traffic and harvest more credentials from inside company networks.
Security teams need to treat firewall credentials as high-value production secrets, not one-time setup details.