Active Credential Attacks Targeting Fortinet FortiGate VPNs

Overview

Threat type: Brute-force, credential stuffing, and reuse of exposed credentials

SISS Severity Rating: High

Date: 22 June 2026

Status: Active and developing

Secure ISS is responding to an active threat in which Fortinet FortiGate SSL VPNs are being subjected to high-volume credential attacks. The same activity overlaps with a large credential dataset known as FortiBleed, which contains Fortinet and FortiGate VPN credentials, including usernames, email addresses and plaintext passwords, for tens of thousands of firewall endpoints worldwide. Researchers have verified that many of the exposed credentials are real and still valid, and many affected devices remain online.

The risk is twofold. Attackers are continuously attempting to authenticate against internet-facing FortiGate VPN and management interfaces, and the circulating credential data hands them ready-made, sometimes valid logins, increasing the likelihood that one of these attempts succeeds.

What is happening

• Fortinet FortiGate SSL VPN endpoints are being subjected to sustained, high-volume credential attacks.

• The FortiBleed credential dataset is circulating publicly and contains verified Fortinet and FortiGate VPN credentials. Initial reporting put this at around 74,000 firewall endpoints, and the confirmed count has since been revised upward to over 86,000 devices across 194 countries, estimated to be roughly half of all internet-facing Fortinet devices. Fortinet has stated this is not a new product vulnerability. Researchers attribute the dataset to large-scale credential harvesting through brute-force, credential reuse, infostealer malware and offline hash-cracking, rather than a single flaw.

• Recently published research indicates threat actors may follow these login attempts with attempted exploitation of recent FortiGate CVEs, though this overlaps with general opportunistic scanning and is difficult to attribute to a single group.

• The primary risk is credential compromise. Valid credentials plus network access to a Fortinet VPN or management interface can enable reconnaissance, lateral movement, data theft and persistence.

  
  

What we are seeing from the SOC

Over the past few months, Secure ISS has observed an extremely high volume of SSL VPN login failures against specific clients' FortiGate devices. Key observations:

• Bursts of tens of thousands to hundreds of thousands of failed logins per day.

• Attempts are mostly against generic, non-targeted usernames.

• Traffic is very consistently sourced from US IP addresses.

• A small minority of the usernames come from old breach data, mostly students who graduated several years ago and whose accounts are already disabled.

• Activity typically runs against a single client for 2 to 4 weeks before moving on to a different target environment.

• Based on recently published reporting, the actors appear to follow up these attempts with attempted exploitation of recent FortiGate CVEs. This kind of opportunistic exploitation happens often enough from unrelated attackers that it is hard to isolate to these specific actors.

  
  

Recommended actions

We recommend the following as a priority:

• Rotate passwords regularly. Enforce semi-regular password rotation on privileged accounts and staff at minimum, and ideally on all accounts. Rotate immediately for any credentials that may appear in an exposure dataset such as FortiBleed.

• Deactivate old and unused accounts promptly when a user leaves, and run regular scheduled audits to keep this maintained over time.

• Apply least privilege for remote access. Ensure only accounts that genuinely require remote access have those permissions.

• Geo-block by default. Restrict access from all countries without an explicit need. Where non-AU/NZ access is genuinely required, investigate routing that access via VPN so geo-blocking can remain standard procedure.

• Enforce MFA on all staff and privileged accounts, and on all VPN and administrative access.

• Patch regularly. Keep all web-facing assets and FortiOS firmware up to date to reduce the vulnerable attack surface.

• Harden management exposure. Restrict Fortinet management interfaces to trusted IP addresses and disable internet exposure of administrative interfaces wherever possible.

• Review logs for unusual access, failed-login spikes, new admin users, policy changes and logins from unexpected source countries.

• Check for credential reuse across Active Directory, cloud services and other internal systems, and treat any organisation appearing in an exposure dataset as a potential compromise requiring incident response.

• Get visibility on VPN logins. We have actively seen this VPN brute-force activity across client environments. For the firewall and VPN best practices behind these recommendations, read Lumara in Action: Stopping VPN Brute-Force with Live Detection.

  
  

Summary for IT Teams

Products: Fortinet FortiGate firewalls and SSL VPN gateways

Threat Level: High, active and ongoing

Action Required: Treat this as an active credential threat. Rotate Fortinet credentials, deactivate stale accounts, enforce MFA, apply geo-blocking and least-privilege remote access, restrict management exposure, patch FortiOS, and review logs for signs of compromise.

Reference

• Cyber.gov.au - Reported widespread credential exposure affecting Fortinet Firewalls and VPN Gateways

• ASD / ACSC - Annual Cyber Threat Report 2024-25

• BleepingComputer - FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices

• Fortinet - Analysis of Reported Credential Compromise of FortiGate Devices

• Hudson Rock - FortiBleed: 75,000 Fortinet Firewalls Compromised

• GreyNoise - Fortinet VPN brute-force spike

  
  

Need help?

If your organisation uses Fortinet firewalls or VPN gateways, Secure ISS can assist with exposure assessment, log review, credential rotation planning, account auditing and incident response.

Please contact Secure ISS on 1300 769 460 or email the team for support.