Fortinet is once again in the news, and this one is worth paying attention to if you run Fortinet or FortiGate VPN equipment.
A leak being called FortiBleed reportedly exposes Fortinet VPN credentials for roughly 73,000 devices. According to BleepingComputer, the exposed data appears to include usernames, email addresses and plaintext passwords tied to Fortinet and FortiGate VPN access.
The article is titled FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.
Industrial Cyber also has coverage titled Global cybersecurity agencies warn of credential exposure in FortiBleed campaign targeting Fortinet firewalls, VPN gateways.
What makes this interesting is that this may not be a brand new vulnerability. Fortinet has reportedly said the activity involves credential harvesting, older data and brute-force activity, not necessarily a new Fortinet security advisory. That does not make this less serious. If credentials still work, attackers do not care whether they came from a new breach, an old breach, an exported configuration, password reuse, or brute forcing. Working credentials are working credentials.
BleepingComputer says researchers found exposed Fortinet and FortiGate VPN credentials for 73,932 firewall URLs across 194 countries. The reporting also says that some of the data was reviewed by researchers who believe at least portions of it are authentic.
That is the part that should get attention. We can argue about the source of the data later. If your firewall or VPN credentials are in a dataset and the device is still exposed to the internet, the immediate question should be whether those credentials still work.
Several cybersecurity agencies have also issued warnings regarding credential exposure affecting Fortinet firewalls and VPN gateways. The concern is not merely the existence of a leaked dataset, but the possibility that organizations may still be relying on exposed credentials that have never been changed. Even if the original source of the credentials is years old, attackers routinely test old usernames and passwords against internet-facing systems in hopes that someone never rotated them.
The name FortiBleed may sound like Heartbleed, the major OpenSSL vulnerability that dominated security headlines in 2014, or suggest a newly discovered software flaw. However, current reporting suggests the issue centers on exposed credentials rather than a newly disclosed vulnerability. That distinction matters because patching alone may not solve the problem if leaked credentials remain active.
Organizations using Fortinet should rotate Fortinet VPN and administrative passwords, make sure multifactor authentication is enabled, review exposed management interfaces, check logs for suspicious access, and verify that devices are patched and configured according to Fortinet guidance.
This blog has covered Fortinet before. You can search for Fortinet coverage here: Fortinet coverage on this blog.
This is another reminder that perimeter devices are not magic boxes. Firewalls, VPN gateways and security appliances are only as strong as their configuration, patching, credential hygiene and monitoring. If an attacker gets valid credentials to the device guarding the front door, they may not need a fancy exploit at all.
If you run Fortinet equipment, do not just read the headline and move on. Check your environment. Rotate credentials. Audit access. Turn on MFA. Make sure old accounts are gone. And if you expose management interfaces directly to the internet, now would be a good time to rethink that decision.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.