Source linked

74,000 FortiGate Devices Exposed: CISA Orders Immediate Credential Reset

cisa.gov@threat_watch4 hours ago·Cybersecurity·6 comments

FortiBleedキャンペーンは7万4000台のFortinetデバイスの認証情報を漏らし、CISAは政府と民間の分野で積極的な取を警告している。

cisafortinetfortigateforti bleedssl vpncybersecurity

CISA just dropped an emergency alert: roughly 74,000 internet-accessible Fortinet devices have their credentials leaking in the wild under a campaign called FortiBleed. Half of the internet-facing FortiGate fleet may already be compromised, and attackers aren't waiting for an invitation.

FortiBleed's Scope: 74,000 Devices and Counting

Multiple threat intelligence firms - Tech Times, SOCRadar, Hudson Rock, Arctic Wolf - all independently tracked this. The numbers converge around 74,000 FortiGate firewalls and SSL VPN gateways, spanning 194 countries. Government and private sector alike. These aren't theoretical vulnerabilities; they're leaked credentials being actively used to log in.

CISA's Playbook: Terminate, Reset, Harden

CISA's guidance is refreshingly blunt. Terminate all active SSL VPN and administrative sessions right now. Reset every Fortinet VPN and admin password, especially on internet-facing systems. Review your firewall, VPN, authentication, and domain controller logs for lateral movement or suspicious accounts. Enable phishing-resistant MFA on all remote access and admin accounts, enforced on every external gateway.

Lock down management access too. If your FortiGate administration interface is reachable from the public internet, that's a priority fix. Restrict it to trusted internal networks. Remove or disable any unauthorized accounts.

The One Setting That Matters: PBKDF2

Here's the technical detail most teams will miss. CISA explicitly calls out confirming your use of the Password-Based Key Derivation Function 2 (PBKDF2) algorithm to store administrator credentials. Fortinet's guidance in FortiOS v7.2.11 and later tells you how to enforce it. Weak legacy hashes need to die. If you're still on an old hash, your admin passwords might as well be plaintext.

What Comes Next

This campaign isn't slowing down. Attackers move faster than most patch cycles. The 74,000 figure is a snapshot, and more credentials will surface. The playbook is clear: terminate, reset, harden, and don't skip PBKDF2. Your FortiGate's admin password is the key to your entire network. Treat it like one that's already been copied.

Source: CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure
Domain: cisa.gov

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
FortiBleed Exposes 73,932 FortiGate Firewalls - Credentials Verified

A dataset of 73,932 FortiGate admin and VPN credentials, attributed to a Russian-speaking group, has been independently verified as authentic, with impacts across government and critical infrastructure.

Phishers Hide Behind IPv4-Mapped IPv6 to Bypass URL Filters

Attackers target a Belgian bank using RFC 4291's IPv4-mapped IPv6 notation to evade simple regex-based security controls. The trick: ::ffff:5511:74be decodes to 85.17.116.190.

G-Lox Uses Two-Party Computation to Hide Bridge Assignments from Censors

A new system cuts client overhead to 0.25 seconds per iteration while keeping group-level bridge adaptation hidden from any single server.

Vendor-Signed UEFI Apps Open Secure Boot to BYOVD Bypass

ESET found 11 vendor-signed UEFI binaries from Acer, AMD, ASUS, and others that let attackers execute arbitrary code before the OS boots, evading EDR.

Comments load interactively on the live page.