The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory warning Fortinet customers to immediately secure their network devices following a major credential leak dubbed FortiBleed. The incident exposed nearly 74,000 sets of firewall and VPN credentials from FortiGate devices worldwide, representing one of the largest Fortinet-specific credential exposures on record.
What Is FortiBleed?
FortiBleed refers to a large-scale data dump containing plaintext usernames, passwords, and IP addresses harvested from FortiGate firewall and FortiClient VPN appliances. The leaked data — believed to have been compiled over an extended period through exploitation of known Fortinet vulnerabilities — was published on underground forums before being flagged by threat intelligence researchers.
The credentials span enterprises, government agencies, and critical infrastructure operators across dozens of countries, with a significant concentration in North America and Europe.
CISA's Response
CISA's advisory directs all organizations using Fortinet products to:
- Disable internet-facing management interfaces where not operationally required
- Rotate all administrative credentials immediately, including FortiOS accounts and any accounts that share passwords with Fortinet appliances
- Apply the latest Fortinet firmware updates to address known vulnerabilities that may have enabled the credential harvest
- Audit firewall rules and access logs for indicators of unauthorized access dating back to at least early 2026
- Enroll in Fortinet's Security Fabric threat intelligence feeds for ongoing monitoring
CISA emphasized that even organizations running fully patched devices should treat credentials as compromised until rotated, given the scope of the exposure.
Historical Context
This is not the first time Fortinet credentials have appeared in large-scale leaks. In 2021, a threat actor published a list of nearly 500,000 Fortinet VPN credentials; in late 2024, a similar leak surfaced. The recurring nature of these incidents reflects both the widespread deployment of Fortinet appliances in enterprise environments and the persistent attention of threat actors targeting perimeter security devices.
The FortiBleed designation mirrors language used by researchers to describe leaks stemming from memory-related vulnerabilities — a reference to the Heartbleed class of bugs — though CISA has not officially confirmed the specific technical mechanism behind this exposure.
Recommended Actions
Security teams should treat this incident as a credential compromise event regardless of whether their organization's specific devices appear in the leaked data:
- Audit all FortiGate and FortiClient VPN accounts and enforce password resets
- Enable multi-factor authentication on all administrative interfaces
- Review network segmentation to limit blast radius if a firewall credential is used for lateral movement
- Correlate Fortinet device logs against known-bad IPs and TTPs from threat intelligence feeds
- Check for unauthorized SSL-VPN sessions or configuration changes in the prior 90 days
Organizations can cross-reference their device IPs against the published FortiBleed dataset using indicators shared by threat intelligence vendors and CERT teams.
FortiGuard Advisory
Fortinet's FortiGuard Labs has published guidance acknowledging the credential exposure and recommending customers use the FortiGuard Outbreak Alert page for the latest remediation steps. Fortinet has stated it is working with CISA and affected customers on incident response.
Given that Fortinet devices are classified as critical network perimeter infrastructure at many organizations, speed of response is essential — threat actors typically begin testing leaked credentials within hours of a public dump.