Massive Credential Leak: 74,000 Fortinet Firewalls Compromised

What Happened?

Security researchers have uncovered a massive breach affecting Fortinet firewalls, compromising approximately 74,000 devices across more than 21,000 IP addresses in 194 countries. According to Bob Diachenko, head of SecurityDiscovery.com, the attackers, linked to Russian-speaking groups, gained access to plaintext credentials as well as contextual data such as industry, revenue, and employee count for each compromised organization. Researcher Kevin Beaumont confirmed that nearly all devices remained online and that the credentials were real and current, indicating the breach has largely not been remediated. Confirmed victims include Oracle, Chevron, Lenovo, Federal Express, a NATO contractor, and Fortinet itself, as reported by Ars Technica. Diachenko accessed the attackers' command-and-control server to obtain this data, revealing a large-scale threat intelligence operation.

Significance of the Incident

The scale of this incident is exceptional: it represents roughly half of all Fortinet firewalls exposed on the internet, according to Shodan data. The attackers not only stole credentials but in many cases accessed centralized authentication systems such as Radius servers and Microsoft Active Directory, amplifying the risk of lateral movement within victim networks. This means attackers may have compromised not just the firewalls but also the authentication infrastructure controlling access to critical resources. The exposure of credentials from high-profile organizations, such as a NATO contractor and Fortune 500 companies, could have national security and industrial espionage implications. Moreover, Fortinet being a victim suggests that even the manufacturer is not safe from its own vulnerabilities. This incident underscores the fragility of perimeter security when credentials are stored in plaintext and patches are not applied in a timely manner.

Consequences and Context

This incident echoes the CVE-2022-40684 vulnerability that affected Fortinet in 2022, but on a much larger scale. At that time, a critical vulnerability in the FortiOS administration interface allowed unauthorized access. The current breach, though the exact vector has not been detailed, appears to have been facilitated by weak or default credentials combined with a lack of patching. The exposure of plaintext credentials is particularly severe, as it allows attackers direct access without needing to exploit additional vulnerabilities. Affected organizations must immediately rotate all exposed credentials, including admin passwords, service keys, and certificates. They should also review access logs for unauthorized activity and consider the possibility that attackers have established persistence. The magnitude of this breach could trigger a wave of secondary attacks, such as ransomware or data theft, if victims do not act quickly. From a market perspective, trust in Fortinet could be impacted, especially if it emerges that the company did not adequately notify customers or that the vulnerability was known but not patched in time.

What Should Readers Know?

If your organization uses Fortinet firewalls, check whether they are patched and whether credentials have been exposed. You can consult the list of compromised IPs published by Diachenko or use tools like Shodan to verify exposure. It is recommended to enable multi-factor authentication for all administrative access and monitor for suspicious logins. Individual users should change passwords on services linked to these companies and be alert for phishing, as attackers may use stolen credentials for targeted attacks. Additionally, organizations should consider network segmentation and implement least-privilege principles to limit the impact of future breaches. This incident reinforces the need for rigorous patch management and avoiding plaintext credential storage. Collaboration between researchers and the security community is crucial to mitigating the effects of this and future threats.