Cybercriminals compromise tens of thousands of Fortinet firewalls, researchers say
5 verified5 unconfirmed4 contested
Researchers have uncovered a large-scale hacking campaign that compromised tens of thousands of Fortinet firewalls used by major organizations worldwide. The attackers, described as Russian-speaking, gained access to the devices by using previously known passwords rather than exploiting unknown vulnerabilities, a method known as credential stuffing. The campaign, which remains ongoing, exposed plaintext credentials online and gave the threat actors a foothold inside affected networks. Victims include major corporations such as Oracle and Lenovo, according to multiple sources. Independent security researchers confirmed that the compromised credentials are real and current. Fortinet acknowledged the reports but stated that the data appears to involve reused credentials from previous incidents and brute‑forcing, not a new vulnerability. The affected devices include firewalls and VPN gateways, and compromised organizations span numerous countries and industries.
What’s verified
Russian-speaking attackers compromised tens of thousands of Fortinet firewalls using previously known passwords (credential stuffing).
The hacking campaign is ongoing and exposed plaintext credentials online.
Independent researchers verified that the compromised data is legitimate and current.
Victims include major companies such as Oracle and Lenovo.
The attackers scanned the internet for exposed Fortinet devices and then used automated tools to break in.
Where accounts differ
The number of compromised devices varies: one source reports 73,000 unique Fortinet URLs, another reports nearly 74,000 devices from 21,000 IP addresses, and a third reports 30,000 devices.
One source lists Fortinet itself among the victim organizations; the other source does not mention Fortinet as a victim.
One source refers to the campaign by the name “FortiBleed”; the other source does not use that name.
The lists of reported victim companies differ between sources, with only Oracle and Lenovo appearing in both.
Not yet confirmed
It is unclear whether Fortinet’s own devices were compromised, as only one source reports that.
The attackers’ full motive is not specified, though one source describes them as criminally motivated.
The exact total of compromised devices remains uncertain due to conflicting figures.
It is not known how many of the affected organizations have fully remediated the issue.
Fortinet’s complete statement on the incident comes from only one source.
Key figures
Bob Diachenko (security researcher)
Kevin Beaumont (independent researcher)
Hudson Rock (cybersecurity firm)
SOCRadar (cybersecurity firm)
Tiffany Curci (Fortinet spokesperson)
Sources: TechCrunch, Ars Technica
