A newly reported campaign targeting Fortinet FortiGate firewalls has put exposed VPN and administrator access back in focus, after researchers linked the activity to tens of thousands of verified firewall logins affecting major companies and public sector organizations.
Cybersecurity firm Hudson Rock says the dataset, first identified by researcher Volodymyr “Bob” Diachenko, includes 73,932 unique Fortinet firewall URLs in 194 countries, connected to 21,632 affected domains.
The company has branded the activity “FortiBleed” and launched a free lookup portal for organizations to check whether their domains appear in the dataset.
The names listed in the exposed data include high-profile organizations such as Samsung, Oracle, Foxconn, Comcast, Siemens, Lenovo, Spotify, Sony, and others, according to Hudson Rock and screenshots shared with the research.
The data also appears to include government, telecom, manufacturing, retail, logistics, and critical infrastructure targets.
The campaign does not appear to be a simple password dump. Diachenko’s investigation describes a Russian-speaking, multi-operator group using exposed FortiGate systems, historical credential leaks, and infostealer logs to test access at high volume.
Hudson Rock says the operators ran about 1.16 billion credential attempts against more than 320,000 FortiGate targets, along with 2.1 billion brute-force attempts against more than 160,000 MSSQL servers.
Once a login worked, the attackers recorded it in a verified database. From there, the operation could feed itself, including compromised firewall access, which may allow attackers to monitor VPN or gateway traffic, collect more credentials, and reuse them in later attacks.
Diachenko also reported deeper compromises in Japan, Taiwan, Vietnam, Iraq, and Turkey, including a Turkish NATO defense contractor where classified defense documents were allegedly stolen. Those claims have not yet been independently confirmed by Fortinet in the public material reviewed for this article.
The technical concern here is not only weak passwords. Hudson Rock’s analysis says many of the successful credentials were complex passwords that had already been stolen through prior breaches, infostealer infections, or recovered firewall data. In that situation, Password complexity offers little protection in that situation because the attacker is not guessing; they are trying passwords that were already stolen.
Fortinet has previously warned customers that internet-facing FortiGate administration and VPN services require tight access controls, patching, and careful configuration. Its own FortiOS hardening guidance advises administrators to review default passwords, certificates, exposed management ports, and SSL VPN access when deploying or maintaining FortiGate systems.
Organizations using Fortinet devices should treat the report as a reason to move fast, but not panic. The first steps are clear: rotate FortiGate admin and VPN credentials, enforce MFA on all external access, restrict management interfaces to trusted IP ranges, review gateway logs for suspicious logins, remove unused accounts, and verify that FortiOS devices are fully patched.
Hudson Rock’s FortiBleed portal allows organizations to search for affected domains and request disclosure details. Companies that find a match should assume exposed credentials are already in criminal hands and begin containment, password rotation, and log review immediately.
