RSS

FortiBleed – 75k Fortinet firewalls have admin passwords cracked

_____k1 pts0 comments

FortiBleed — 75k Fortinet firewalls have admin passwords cracked | by Kevin Beaumont | Jun, 2026 | DoublePulsarSitemapOpen in appSign up<br>Sign in

Medium Logo

Get app<br>Write

Search

Sign up<br>Sign in

Mastodon

DoublePulsar

Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the author alone, not their employer.

FortiBleed — 75k Fortinet firewalls have admin passwords cracked

Kevin Beaumont

3 min read·<br>5 hours ago

Listen

Share

An interesting post popped up on LinkedIn at the weekend from Voldymyr Diachenko saying plain text passwords were found in the wild by Hunt Intelligence Inc for Fortinet firewalls:<br>Press enter or click to view image in full size

This is similar to the Belsen Group incident, which I revealed last year:<br>2022 zero day was used to raid Fortigate firewall configs. Somebody just released them.<br>Back in 2022, Fortinet warned that somebody had a zero day vulnerability and was using it to exploit Fortigate…

doublepulsar.com

I’ve had a look at the data, with the help of the folks at Hudson Rock, and can confirm:<br>The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data.<br>The data appears to have come from exports of config from the devices, as it includes things which are only visible from the device itself.<br>The IP addresses are largely different to the Belsen Group leak, which was 15k devices. It includes mostly devices not in the Belsen Group leak, and in this case most of the devices are still online — this isn’t data from 2022.<br>I have worked with several orgs listed, and can confirm the logins and passwords are real. Many of the devices sampled are on fairly recent patches.<br>The data comprises of roughly 50% of all Fortinet firewall devices facing the internet, based on polling from Shodan.<br>In a majority of cases, the Fortigate Management Interface is exposed to the internet on impacted devices.<br>What could attackers do this this information?<br>They can log in remotely and gain remote access to the firewall — and so the network. They can also change settings, including security controls and make backdoor users.<br>How did this happen?<br>It is currently unclear. With the Belsen Group incident, a 2022 zero day was used to dump the configs, with the data published much later in 2025.<br>Get Kevin Beaumont’s stories in your inbox

Join Medium for free to get updates from this writer.

Subscribe

Subscribe

Remember me for faster sign in

With this, it is unclear how the configs were exported or devices accessed. It may be from one of the many, many known CVEs for Fortinet firewalls — or it may be a new vulnerability — keep tuned for updates.<br>Fortinet tried to harden the storage of admin credentials in early 2025, after my prior blog:<br>Press enter or click to view image in full size

You’ll note the move to PBKDF2 storage of credentials. This happened in recent firmware updates applied during the past 12 or so months — and only if admins each logged in after applying the updates.<br>As such, many devices would have have storing credentials in SHA-256 with Salt — which is vulnerable to bruteforce to gain passwords from stolen config files.<br>What orgs should do?<br>Check you are impacted. Do that here: https://www.hudsonrock.com/fortinet<br>Enter your domain name(s). If you are impacted:<br>rotate admin credentials immediately and look for prior logins to said users<br>if you see suspect success logins to admin users, I would suggest replacing the device as they may have altered settings to backdoor a device<br>upgrade to the latest FortiOS release, and have admins log back in to change passwords<br>do not expose the FortiOS management interface to the internet unless absolutely necessary<br>implement multi-factor authentication on all admin users<br>assume compromise. It is unclear where Hunt Intelligence obtained the data from and how long it has been in circulation, however it is formatted in a way which looks like an eCrime gang — e.g. it lists the type of company, their revenue and country. This is a very common format in eCrime circles when selling initial access information.<br>Updates<br>You can follow me on Mastodon if you wish (to suffer, I guess):<br>Kevin Beaumont (@GossiTheDog@cyberplace.social)<br>4.42K Posts, 778 Following, 73.5K Followers · Cybersecurity weather person and award winning shitposter.

cyberplace.social

Cybersecurity News

Fortibleed

Fortinet

Fortigate

Published in DoublePulsar<br>9.6K followers<br>·Last published 5 hours ago

Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the author alone, not their employer.

Written by Kevin Beaumont<br>19.5K followers<br>·94 following

Everything here is my personal work and opinions.

Help

Status

About

Careers

Press

Blog

Store

Privacy

Rules

Terms

Text to speech

from fortinet devices data admin passwords

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.