Exposure of credentials on Fortinet devices linked to the exploitation of SSL-VPN

An extensive list of credentials linked to Fortinet devices – particularly FortiGate and SSL-VPN environments exposed to the internet, has recently been disclosed. This sequence of events has been dubbed FortiBleed.

FortiBleed can be traced back to the exploitation of vulnerabilities such as CVE-2023-27997 in FortiOS and FortiProxy SSL-VPN, which was patched by Fortinet in June 2023. This vulnerability affected the SSL-VPN component and could have allowed remote command execution.

In June 2026, reports emerged of a set of credentials associated with tens of thousands of Fortinet devices accessible from the internet, including VPN portals and firewalls used by organisations across multiple sectors.
The affected parties mentioned in these reports are companies and organisations whose credentials are believed to have been exposed, although the information observed appeared to stem from past incidents and brute-force campaigns, rather than from a new vulnerability.

The information points to users and organisations that left Fortinet devices with SSL-VPNs exposed to the internet; at some point, these devices were either vulnerable or had weak credentials, which would have allowed unauthorised access, the theft of configurations and credentials, and the subsequent circulation of credentials associated with those devices, as well as the installation of backdoors. If the system updates published by Fortinet were not applied – followed by password rotation, a review of access logs and the strengthening of authentication with multi-factor mechanisms – these systems may remain vulnerable via the credentials obtained at the time.

It should be noted that the theft of credentials occurred at different times, and not all the credentials available on the list are currently valid (for example, because they may have been changed since the theft), although unfortunately most of them appear to be active.

However, it is important to bear in mind that simply changing the credentials on the list is not enough, as it is also crucial to ensure that the firmware is up to date and that there are no backdoors. Furthermore, there is a possibility that the credentials of users who used the device during the period of the breach may also have been compromised. This applies to both the devices themselves and the traffic routed through them, as the attackers installed traffic analysis systems to obtain passwords and hashes across multiple protocols, which they then cracked using brute-force attacks via GPUs. Cases of subsequent lateral movement to internal systems have also been documented.

The main recommendations for the organisations listed would be:

• Change all FortiGate administrative and VPN credentials.
• Enforce multi-factor authentication on all remote access interfaces.
• Ensure that management interfaces are not exposed to the internet.
• Check gateway and authentication logs for suspicious activity.