Reported widespread credential exposure affecting Fortinet Firewalls and VPN Gateways

Last update: 23 June, 2026

Tags: Security Bulletin

Brandon Sawyer

Prepared by: Brandon Sawyer, Vulnerability Analyst | Published: Mon 23 June 2026

Summary

On 19 June 2026, Fortinet disclosed a widespread campaign is actively targeting Fortinet firewalls and SSL‑VPN gateways, leveraging exposed or previously compromised credentials to gain unauthorized access to devices and associated networks. Current analysis indicates this is not a new vulnerability, but rather a large scale credential harvesting and reuse campaign exploiting poor credential hygiene and exposed management interfaces. This activity has been referred to as “FortiBleed”, Fortinet believes the activity involves threat actors reusing credentials from previous incidents (FG-IR-26-060, FG-IR-25-647), and employing brute force techniques against devices with weak passwords and no multi-factor authentication (MFA).

On 22 June 2026, the Australian Cyber Security Centre (ACSC) issued similar guidance and has urged all Australian businesses that use affected Fortinet devices to act immediately and follow mitigation and detection advise detailed below.

Impact

Organisations using Fortinet devices may face:

Unauthorized administrative access
Exposure and reuse of VPN/user credentials
Persistence via rogue or newly created accounts
Potential compromise of connected internal systems

Mitigation actions

Organisations are recommended to proactively follow this approach to limit their potential risk or exposure.

Immediate Actions

Reset all administrator and VPN credentials and terminate active sessions
Enforce MFA for all administrative and remote access
Patch and upgrade devices to supported firmware versions

Hardening Measures

Restrict or eliminate internet-facing management interfaces
Ensure credentials are stored using PBKDF2 hashing (via updated firmware) and regular credential rotation is enforced for increased pass hygeine.
Audit configurations and compare against known-good baselines

More information and guidance around additional security best practices can be found here at Best Practices

Detection capabilities

Organisations should investigate logs for:

Unrecognized administrator or VPN accounts (e.g., suspiciously named accounts)
Unexpected login activity from unknown IP addresses
Unapproved configuration changes
Suspicious VPN activity or abnormal login locations
Evidence of lateral movement within the network

MDR customers: Triskele Labs will continue tuning detections for behaviours consistent with the exploitation of Fortinet Firewalls and VPN Gateways across supported log sources.