"CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials," the U.S. Cybersecurity and Infrastructure Security Agency said. That alert frames a leak and attack campaign that exposed nearly 74,000 Fortinet firewall and VPN credentials and prompted an international defensive response.
CISA advisory: immediate steps for affected FortiGate owners
CISA told Fortinet customers to take a series of actions designed to cut access to compromised accounts and to harden devices against follow-on abuse. The agency urged owners of affected FortiGate appliances to terminate all SSL VPN and administrative sessions, reset all VPN and administrative passwords, enable phishing-resistant multifactor authentication, and review logs for signs of unauthorized access or lateral movement. CISA also advised storing admin credentials using the modern Password-Based Key Derivation Function 2 (PBKDF2) hashing algorithm, restricting firewall management interfaces from public internet access, and removing any unauthorized accounts to reduce the attack surface.
Volodymyr "Bob" Diachenko's discovery: what leaked and who appeared in it
Security researcher Volodymyr "Bob" Diachenko discovered a server that contained what appeared to be valid Fortinet VPN credentials — usernames, email addresses and plaintext passwords — for 73,932 firewall URLs worldwide. Diachenko said the exposed dataset also included each organization's industry, revenue and employee count, details he said appeared to be compiled to assist in planning future attacks. The dataset reportedly spanned 21,632 unique domains and 194 countries, and included entries for Samsung, Mercedes-Benz, Foxconn, Chevron, Comcast, AT&T and Toyota, along with many government agencies and critical infrastructure operators across telecommunications, healthcare, financial services and manufacturing sectors.
Scope of the campaign and who is accused
Diachenko attributed the operation to a Russian-speaking threat group that, he said, carried out approximately 1.16 billion credential attempts against more than 320,000 FortiGate targets to intercept SSL VPN authentication hashes. Threat intelligence company Hudson Rock described the dataset as one of the largest known collections of compromised Fortinet credentials. Independent security expert Kevin Beaumont also confirmed the authenticity of some credentials: "The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data," he said. The source of the configuration data remains unknown.
Parallel findings: Hudson Rock, Defused and vulnerability tracking
Hudson Rock not only analyzed the dataset but created a free FortiBleed lookup tool to help organizations check whether they are affected. Separately, threat intelligence company Defused reported that several critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform are now being exploited in attacks. CISA notes it tracks 26 Fortinet security flaws that have been exploited in the wild in recent years, 13 of which were abused in ransomware attacks — a tally the agency continues to monitor as part of its advisory work.
What this means for security teams, affected enterprises, and policymakers
- Security teams: The CISA checklist — session termination, password resets, phishing-resistant MFA, PBKDF2 for stored admin credentials, and restricting public management interfaces — defines immediate operational priorities. Teams will also need to review logs for unauthorized access and potential lateral movement.
- Affected enterprises and operators of critical infrastructure: Organizations named in the dataset and those operating FortiGate devices should use the Hudson Rock lookup tool to confirm exposure, follow CISA's mitigations, and audit accounts and management access to remove unauthorized entries.
- Policymakers and regulators: The combination of a large credential dataset, active exploitation reports from Defused, and CISA's tracking of 26 exploited Fortinet flaws underscores an ongoing assessment task: determining whether additional guidance, coordinated disclosure expectations, or reporting requirements are warranted for compromises affecting critical infrastructure.
The central unanswered question is the origin of the configuration data. The source remains unknown, and CISA noted it is unclear whether the credentials were stolen through exploitation of previously disclosed Fortinet vulnerabilities, a newly discovered security flaw, or another method. That gap matters: the remedy and the urgency for patching or other countermeasures depend on whether an undisclosed vulnerability is in active use.
For organizations with internet-accessible Fortinet devices, the facts are stark and immediate: a large, apparently valid collection of credentials exists in the wild; many affected devices appear to remain online; and threat actors have been observed conducting high-volume credential attempts. CISA's mitigations provide a short checklist — session termination, password changes, stronger MFA, credential storage hardening and reduced internet exposure — that owners can act on today while investigators work to trace the leak's origin.
