74,000 Fortinet firewalls. Admin passwords cracked. No CVE.
74,000 Fortinet firewalls. Admin passwords cracked. No CVE.
If you run FortiGate infrastructure, the question is not whether to act — it is how fast.
Security researcher Bob Diachenko discovered on June 17 an exposed server containing verified admin credentials for 73,932 Fortinet FortiGate devices across 194 countries. The campaign, now called FortiBleed, was confirmed by Hudson Rock and independently verified by Kevin Beaumont: the credentials are real, the devices are still online. The dataset covers roughly half of all internet-accessible FortiGate appliances, and includes Samsung, Siemens, Oracle, Accenture, DHL, PwC, and at least one NATO defence contractor whose classified documents were allegedly exfiltrated.
A Russian-speaking criminal group intercepted SSL VPN authentication hashes and cracked them offline using a 45-GPU compute cluster — 1.16 billion credential attempts against 320,000 FortiGate targets. After successful authentication they deployed network sniffers capturing all transiting traffic: VPN sessions, LDAP bind requests, Active Directory authentication, service account calls.
The part that matters for patched devices: Fortinet migrated to PBKDF2 password hashing in early 2025. PBKDF2 is deliberately slow and crack-resistant. SHA-256 is not. But PBKDF2 only activates when an admin logs back into the device after applying the firmware update. Any device that was patched but never re-authenticated stayed on SHA-256 — fully exposed to offline cracking. You could be running the latest firmware and still be in this dataset.
If you own Fortinet infrastructure, do this now;
Rotate all admin and VPN credentials immediately. Force every admin account to log back into the device after updating — this triggers the PBKDF2 re-hash. Restrict management interface access to internal networks. Enable MFA on all external interfaces. Check whether your domain is in the FortiBleed dataset via the Hudson Rock lookup tool. Review authentication logs for anomalous activity from June 17 onward.
ASD’s ACSC issued a critical alert this morning. This requires action today, not next maintenance window.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
