CISA Warns Fortinet Users as FortiBleed Exposes 86,000+ Credentials

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to Fortinet customers after a large-scale credential theft campaign, dubbed FortiBleed, compromised tens of thousands of internet-accessible devices. The operation, attributed to Russian-speaking threat actors, has exposed firewall and VPN credentials on a massive scale.

According to The Hacker News and SecurityWeek, 86,644 FortiGate appliances were compromised, while BleepingComputer reported nearly 74,000 credentials leaked. The discrepancy in figures may reflect different measurement windows or counting methods. CISA described the campaign as sweeping and ongoing, urging immediate defensive measures.

The attack appears to target internet-accessible Fortinet firewalls and VPNs, with roughly half of such devices reportedly affected. The stolen credentials could enable further intrusions into corporate networks, data breaches, or ransomware deployment. Technical indicators of compromise have not been publicly detailed by CISA or Fortinet at this time.

CISA advises Fortinet customers to ensure devices are fully patched, change all credentials, enable multi-factor authentication, and audit logs for unauthorized access. Fortinet has not yet released a specific patch for FortiBleed, but keeping firmware up to date is recommended. Affected organizations should assume compromise and conduct forensic analysis.

Attribution to Russian-speaking actors aligns with recent trends in state-adjacent cyber operations targeting critical infrastructure. However, no official confirmation of specific group involvement has been provided. The true scope of exploited devices may be larger than current estimates suggest, as not all compromised systems have been publicly identified.