(TLP:CLEAR) Widespread “FortiBleed” Credential Exposure Campaign Affects Fortinet Firewalls and VPN Gateways
Created: Thursday, June 18, 2026 - 15:02
Categories: Cybersecurity, Security Preparedness
ACTION MAY BE REQUIRED for utilities using Fortinet FortiGate firewalls, SSL VPN, or VPN gateway services. Utilities that outsource technology support may need to consult their service providers for assistance with investigation and remediation actions.
Summary: Recent public reporting and government alerts describe a widespread malicious campaign, dubbed “FortiBleed,” involving exposed credentials affecting Fortinet firewalls and VPN gateways. The exposed data includes Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords, associated with tens of thousands of Fortinet firewall URLs worldwide.
The campaign is particularly concerning for utilities because Fortinet firewalls and VPN gateways may provide remote access into enterprise environments, third-party support networks, and systems used by operational personnel. If valid credentials are leveraged, threat actors could gain remote access to affected devices and connected networks, modify device settings, alter security controls, or use perimeter access to pivot further into internal environments.
Analyst Note: WaterISAC strongly encourages members using Fortinet firewall or VPN services to immediately review their exposure, rotate all Fortinet VPN and administrative credentials, terminate active SSL VPN and administrative sessions, enforce MFA across all external gateways and administrative interfaces, restrict management interfaces to trusted networks only, and ensure Fortinet devices are running the latest firmware.
Members can also examine authentication and access logs for abnormal logins, unauthorized changes, suspicious accounts, or backdoor users. The Canadian Centre for Cyber Security specifically recommends inventorying Fortinet device accounts and disabling or removing unauthorized or suspicious accounts, including accounts such as forticloud-sync or forticloud-tech if they are not expected in the environment.
Recommended Actions:
- Rotate all Fortinet VPN and administrative credentials immediately.
- Terminate active SSL VPN and administrative sessions.
- Enforce MFA for all external gateways and admin interfaces.
- Restrict Fortinet management interfaces to trusted networks and hosts only.
- Ensure Fortinet devices are fully patched and running supported firmware.
- Confirm credentials are stored using PBKDF2 hashing after devices are updated.
- Review authentication, access, and configuration logs for suspicious activity.
- Investigate unauthorized accounts, configuration changes, or signs of persistence.
Original Source: https://www.cyber.gc.ca/en/alerts-advisories/al26-014-fortibleed-leak-thousands-compromised-credentials-impacting-fortinet-devices
Additional Reading:
- Reported widespread credential exposure affecting Fortinet Firewalls and VPN Gateways
- FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.
Related WaterISAC PIRs: 6, 8, 10