The Compromise of 30,000 Fortinet Firewalls
ID: 3b9152f7-fd5f-549a-ad1b-81903a180554
STIX ID: report--3b9152f7-fd5f-549a-ad1b-81903a180554
Feed Name: SOCRadar Blog
SOCRadar researchers uncovered an active global campaign (dubbed “FortiBleed”) in which attackers systematically scanned internet-facing Fortinet firewalls and VPN gateways, used credential-stuffing and brute-force against known/default credentials, and built a verified database of 30,791 working logins spanning 194 countries—including government and critical infrastructure accounts; the operation is automated, ongoing, and attributed tentatively to Russian-speaking operators. Affected organizations are advised to assume compromise, change all Fortinet credentials, enable MFA, restrict management access, update firmware, review logs, and engage incident response.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
