FortiBleed: 75,000 Fortinet Firewalls Exposed and What It Means for Australian Networks
- 6 days ago
- 3 min read
Roughly 75,000 Fortinet FortiGate firewalls have had their administrator credentials exposed in a dataset now circulating among researchers, and in all likelihood among criminals. These devices sit at the edge of corporate networks across 194 countries, and the credentials appear to be current. For any organisation running FortiGate as its perimeter, this is something to act on this week, not next quarter.
What Happened
The campaign, named FortiBleed, was first disclosed on 17 June by security researcher Volodymyr “Bob” Diachenko, with analysis from Kevin Beaumont and the threat-intelligence firm Hudson Rock confirming the data is authentic. The dataset holds records for 73,932 unique firewall URLs across 21,632 domains, reportedly including Foxconn, Samsung, Siemens, PwC, Oracle and Fortinet itself. This is not a single new vulnerability. Attackers harvested FortiGate configuration exports, which historically stored administrator passwords as older salted SHA-256 hashes, then cracked them offline on a 45-GPU cluster as part of an operation estimated at 1.16 billion login attempts against more than 320,000 FortiGate targets. Beaumont puts the leak at around half of all Fortinet firewalls currently exposed to the internet.
Why It Matters
FortiGate appliances are everywhere in Australia, across small businesses, local councils, healthcare providers, schools and government agencies, precisely because they are an affordable and capable perimeter. That ubiquity is now the problem. Administrative access to an edge firewall hands an attacker a route into Active Directory and the internal network behind it, and the Australian Cyber Security Centre has repeatedly flagged exploitation of internet-facing edge devices as a common path into local organisations.
A firewall is meant to be the thing protecting the network, not the first door an attacker walks through.
What Security Teams Should Do Now
Rotate every FortiGate administrator and local user credential, and treat any password stored on an exposed device as already compromised.
Upgrade to the latest FortiOS release, then log in afterwards so credentials are rehashed using PBKDF2 rather than the older SHA-256 scheme.
Enable multi-factor authentication on all administrative accounts.
Take FortiOS management interfaces off the public internet and restrict them to VPN or trusted management networks.
Review logs for unauthorised administrative logins, and audit devices for unfamiliar accounts, configuration changes and persistence.
Where a device was internet-exposed, assume compromise and investigate the connected network until you can prove otherwise.
Aurian's Take
None of this required an exotic exploit. It combined three ordinary failures: management interfaces left open to the internet, credentials stored with weak hashing, and configuration data that escaped the device. That pattern repeats across breach after breach. The attackers were not clever so much as patient and well-resourced, while the defenders simply could not see how their own perimeter looked from the outside.
This is the gap that regular penetration testing and external security assessment are built to close. An attacker's-eye view of the perimeter finds the exposed management interface, the device running months-old firmware and the credential that should have been rotated long ago, before someone else does. Much of Aurian's penetration testing work starts exactly here, at the internet-facing edge, because that is where Australian organisations are most often caught out.
FortiBleed is a reminder that the perimeter is only as strong as the discipline behind it, and that exposure you cannot see is exposure you cannot fix.
Comments