Recent reports from cybersecurity researchers have identified a large-scale credential exposure event, known as FortiBleed, involving credentials associated with Fortinet VPN and firewall devices worldwide. The exposed data reportedly includes usernames, email addresses, and plaintext passwords linked to approximately 73,000 Fortinet-related endpoints across 194 countries.
While the incident is not currently attributed to a newly discovered Fortinet vulnerability, the exposure of valid credentials significantly increases the risk of unauthorized access to affected environments. Organizations using Fortinet VPN and firewall solutions should review their security posture immediately and take appropriate precautions to reduce risk.
What Happened?
Researchers discovered a publicly accessible server containing what appeared to be valid Fortinet VPN credentials. The exposed information reportedly included:
- Usernames
- Email addresses
- Plaintext passwords
- Associated Fortinet VPN endpoints
If these credentials remain active, attackers may be able to gain unauthorized access to remote access services and administrative interfaces without needing to exploit a software vulnerability.
At the time of publication, CIRT-BS has not identified any .bs domains within the publicly reported dataset. However, organizations should not assume they are unaffected, as many organizations utilize domains outside of the .bs namespace or operate infrastructure through third-party providers.
Why This Matters
Fortinet VPN and firewall solutions are commonly used to secure remote access and protect organizational networks. Compromised credentials can potentially allow attackers to:
- Access VPN services and internal networks
- Log in to administrative interfaces
- Modify firewall and security configurations
- Create unauthorized accounts
- Move laterally across connected systems
- Access sensitive organizational data
Because this activity involves credential exposure rather than a newly disclosed vulnerability, organizations should focus on verifying the integrity of accounts and authentication mechanisms rather than relying solely on software updates.
Immediate Actions Recommended
Organizations using Fortinet VPN or firewall appliances should take the following actions as soon as possible:
1. Rotate VPN Credentials
Immediately reset passwords for:
- VPN users
- Administrative accounts
- Service accounts
- Shared accounts
- Third-party support accounts
Organizations should ensure that new passwords are unique and not reused across services.
2. Enforce Multi-Factor Authentication (MFA)
Multi-factor authentication should be enabled and enforced for all remote access and privileged accounts wherever supported.
3. Review VPN and Firewall Logs
Security teams should review logs for:
- Successful logins from unfamiliar locations
- Repeated failed authentication attempts
- Logins occurring outside normal business hours
- Unexpected administrative activity
- Configuration changes that were not authorized
4. Verify Device Security
Organizations should:
- Confirm devices are running supported firmware versions
- Review firewall configurations
- Remove unnecessary internet exposure of management interfaces
- Audit privileged accounts and permissions
Check Whether Your Domain Appears in the Dataset
Hudson Rock has made a free lookup tool available that allows organizations to check whether their domain appears in the publicly reported FortiBleed dataset.
Lookup Tool:
https://www.hudsonrock.com/fortinet
Organizations are encouraged to search their domains and investigate any positive findings immediately.
What to Look For
Organizations should investigate if they observe:
- Unknown VPN sessions
- New administrator accounts
- Unexplained configuration changes
- Authentication attempts from unexpected locations
- Suspicious outbound traffic
- User reports of account lockouts or password changes
Any indication of unauthorized access should be treated as a potential security incident and handled according to established incident response procedures.
CIRT-BS Guidance
Although no confirmed impact to Bahamian organizations has been identified at the time of publication, CIRT-BS recommends that all organizations operating Fortinet VPN or firewall devices proactively review their environments and validate that appropriate security controls are in place.
Credential-based attacks remain one of the most effective methods used by threat actors to gain access to organizational networks. Strong password hygiene, multi-factor authentication, continuous monitoring, and timely credential rotation remain critical defensive measures.
For additional assistance or to report a cybersecurity incident, please visit:
CIRT-BS will continue to monitor this situation and provide updates as additional information becomes available.