Cybercriminals Target Major Firms with Fortinet Firewall Hacks

6/18/2026 05:50:00 AM
Cybercriminals Target Major Firms with Fortinet Firewall Hacks

TL;DR

  • Cybercriminals are exploiting Fortinet FortiGate firewalls and VPNs at scale, with two security firms saying tens of thousands of devices have been compromised worldwide.
  • The campaign, dubbed FortiBleed, appears to rely on exposed devices and reused or leaked passwords rather than a novel zero-day exploit.
  • Victims are being urged to restrict internet access to management interfaces, rotate credentials, and treat firewall configs as compromised if there are signs of intrusion.

Fortinet firewalls hit by a global intrusion wave

A large-scale cybercriminal campaign is targeting Fortinet FortiGate firewalls and VPN appliances used by major companies around the world, according to recent reports from cybersecurity firms Hudson Rock and SOCRadar. The attackers are said to have compromised more than 30,000 devices, while Hudson Rock estimates the number of affected Fortinet URLs is above 73,000.

The activity is ongoing and has been nicknamed FortiBleed by researchers. Based on the available reporting, the operation is not centered on a newly discovered software flaw; instead, attackers are scanning the internet for exposed Fortinet devices and then logging in using lists of previously known passwords.

How the attackers are getting in

The core technique described by the researchers is deceptively simple: find Fortinet firewalls or VPNs exposed to the public internet, then try credential sets already circulating in criminal datasets. That means organizations that have not changed firewall passwords, or have reused credentials that were previously leaked elsewhere, are particularly vulnerable.

Once inside, the attackers can use the device as a listening post, monitoring traffic and collecting additional credentials that pass through the firewall. Researchers say the campaign is also being used to steal firewall configuration data, which can reveal network structure, VPN settings, and other details that help expand the compromise.

Who is being affected

Hudson Rock says the hacked organizations it identified include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC. SOCRadar and Hudson Rock both say the victims are spread across the globe, with the highest concentration of affected devices in India, the United States, Taiwan, and Mexico.

The industries most heavily affected, according to Hudson Rock, include IT services, construction materials, and telecommunications. SOCRadar also says government agencies are among the victims.

A Russian-speaking threat group

Both cybersecurity firms say the group behind the campaign appears to be Russian-speaking. The reporting does not identify the actors with certainty, but the scale and automation of the operation suggest an organized criminal effort rather than isolated opportunistic intrusions.

That attribution matters because it suggests the campaign may continue to evolve, especially if the operators keep finding organizations with exposed management interfaces and weak or reused credentials.

Why firewall compromises are so dangerous

Firewalls are designed to sit at the edge of corporate networks, which makes them especially valuable to attackers once breached. If criminals gain access to configuration data or administrative controls, they may be able to pivot deeper into the environment, intercept traffic, and harvest additional credentials.

Even when the initial compromise is “just” a firewall login, the downstream impact can be significant. Stolen configs can reveal security policies, trusted IP ranges, VPN accounts, and internal routing details that make later attacks easier.

What defenders should do now

Security researchers and vendors are advising companies to reduce exposure of firewall management interfaces to the public internet, and to limit access to trusted internal users wherever possible. If public access cannot be avoided, organizations are being told to apply restrictive access controls so only approved IP addresses can reach administrative portals.

Other recommended steps include:

  • Rotate all firewall-related credentials and any linked enterprise accounts that may have been exposed.
  • Review firewall and VPN configurations for unauthorized changes or rogue accounts.
  • Treat affected configs as compromised and restore from a known clean backup if needed.
  • Disable FortiCloud SSO/admin login features temporarily if they are in use, pending updated remediation guidance.

The bigger lesson

The FortiBleed campaign is a reminder that not every mass intrusion wave depends on an exotic exploit. In this case, the attackers appear to be taking advantage of a basic but persistent security problem: exposed internet-facing infrastructure protected by weak or reused credentials.

For companies that rely on Fortinet gear, the immediate priority is to lock down management access, reset credentials, and assume that any exposed device may already be a target.


AndroGuider Team
Articles written by the AndroGuider team. We try to make them thorough and informational while being easy to read.
Cybercriminals Target Major Firms with Fortinet Firewall Hacks Cybercriminals Target Major Firms with Fortinet Firewall Hacks Reviewed by Randeotten on 6/18/2026 05:50:00 AM

Subscribe To Us

Get All The Latest Updates Delivered Straight To Your Inbox For Free!





Powered by Blogger.