Overview
A large-scale credential theft campaign — now dubbed "FortiBleed" — has resulted in the exposure of administrator usernames and plaintext passwords for approximately 75,000 Fortinet firewall and VPN devices worldwide. The Canadian Centre for Cyber Security (CCCS) has issued a formal alert and is urging Canadian organizations to act immediately. Independent security researcher Kevin Beaumont has confirmed the data is authentic, noting that the dataset represents roughly half of all internet-facing Fortinet firewall devices globally. Canada has 810 devices listed in the dataset.
This is not a software vulnerability with a patch — it is a confirmed credential exposure event. Organizations using Fortinet FortiGate firewalls or VPN gateways should act immediately, regardless of patch level.
What You Need to Know
- What it is: Attackers obtained configuration files from Fortinet FortiGate firewall devices — likely by exploiting the devices directly — and cracked the administrator password hashes contained within those files. The resulting plaintext credentials were collected into a structured database that is now circulating among criminal groups.
- Why it matters: An attacker with valid admin credentials can log directly into your firewall, bypass all its security controls, create hidden backdoor accounts, and access your internal network as a trusted administrator. Multiple organizations across several countries have already been fully compromised.
- Who is affected: Organizations worldwide running Fortinet FortiGate firewalls or VPN gateways with management interfaces exposed to the internet. Canada has 810 devices in the dataset. Affected sectors include IT services, telecommunications, financial services, government, healthcare, education, and construction.
- Exploitation status: Active and confirmed. Multiple full network compromises have been verified, including a NATO-affiliated defence contractor. Kevin Beaumont independently verified credentials for several organizations listed in the dataset.
- Why complex passwords did not help: Fortinet began improving how it stores admin passwords in early 2025, moving to a stronger format (PBKDF2). However, this upgrade only took effect if administrators actively logged in after applying the firmware update. Many devices continued using an older, more crackable format (SHA-256 with salt). Attackers broke these using a dedicated 45-GPU cracking cluster. A complex password stored in a weaker format is just as vulnerable as a simple one.
- How this compares to the 2025 Belsen Group leak: The 2025 Belsen Group Fortinet leak involved 15,000 devices and was traced to a 2022 vulnerability. This dataset is largely different, more recent, and nearly five times larger. The exact method used to obtain the configuration files has not yet been confirmed.
- No official Fortinet advisory has been published as of the date of this alert.
Affected Products
- Devices: ~73,932 unique FortiGate firewall/VPN URLs across 194 countries
- Domains: 21,387 unique affected domains
- Canada: 810 devices in the dataset (25th highest globally)
- Top affected sectors: IT services, telecommunications, financial services, government services, healthcare, education, manufacturing, construction
- Common condition: Management interface exposed to the public internet
Recommended Actions
Canadian Centre for Cyber Security Guidance
-
Inventory all accounts on your Fortinet devices. Identify and immediately disable or remove any unauthorized or suspicious accounts — the CCCS specifically flags accounts named
forticloud-syncandforticloud-techas indicators of possible backdoor access. -
Restrict access to management interfaces to trusted internal networks and specific hosts only.
-
Terminate all active SSL VPN and administrative sessions immediately.
-
Reset passwords for all Fortinet VPN and administrative accounts.
-
Enforce multi-factor authentication (MFA) on all administrator accounts and external VPN gateways. MFA requires a second verification step beyond a password and would neutralize stolen credentials even if passwords are compromised.
-
Ensure all Fortinet devices are running the latest firmware. The CCCS specifically recommends checking for patches related to:
- CVE-2024-55591 (privilege escalation — allows attackers to gain high-level system access)
- CVE-2025-59718 and CVE-2025-59719 (authentication bypass — allows attackers to skip login controls entirely)
-
Review and implement the CCCS Top 10 IT Security Actions, with emphasis on:
- Consolidate, monitor, and defend internet gateways
- Patch operating systems and applications
- Enforce the management of administrative privileges
- Harden operating systems and applications
-
Report suspected activity to the CCCS via My Cyber Portal or by emailing [email protected].
Notes
- The root cause of the configuration file theft has not been confirmed. It may involve one or more known Fortinet CVEs, a new undisclosed vulnerability, or another method. Monitor Fortinet's PSIRT advisory page for updates: https://www.fortiguard.com/psirt
- This is a credential exposure event, not a traditional software vulnerability. Even fully patched devices may be affected if their configurations were previously stolen.
- The attacker database categorizes victims by company type, revenue, and employee count — consistent with criminal groups packaging compromised credentials for sale as initial access.
Additional Resources
Canadian Centre for Cyber Security — Alert AL26-014