Analysis of Reported Credential Compromise of FortiGate Devices

Fortinet reports an active credential-harvesting campaign dubbed “FortiBleed” that leverages reused credentials and brute-force attacks against internet-facing FortiGate devices with weak password hygiene and no MFA. Fortinet advises immediate actions including terminating admin/VPN sessions, resetting credentials, implementing MFA, upgrading to versions with PBKDF2-hashed admin credentials, validating configurations for unauthorized changes, reviewing logs for suspicious access, and restricting external management access; affected devices should be treated as compromised if unauthorized modifications or IoCs are found.