FortiBleed: when the problem is not the flaw but the credentials

Fortinet firewalls sit at the boundary between the internet and the company network in countless Swiss SMEs. That is exactly what makes an incident like the campaign known as FortiBleed so serious: the device that is meant to protect you becomes the entry point itself, and not through a software bug, but through compromised credentials.

What is FortiBleed?

Despite the name, this is not a classic vulnerability you close with an update. FortiBleed is a large-scale credential-harvesting campaign: attackers reuse credentials from earlier breaches and combine them with brute-force attacks against devices with weak password hygiene and no multi-factor authentication. Fortinet explicitly states that there is no new FortiOS vulnerability behind it. Mainly affected are internet-exposed firewall, VPN and management interfaces. The name matters less than the pattern: exposed security appliances with reused passwords are a prime target.

Why edge devices are so attractive to attackers

Firewalls and VPN gateways are by definition reachable from the internet and hold a privileged position in the network. If such a device is taken over, the attacker is effectively already inside. On top of that: once a vulnerability or a set of valid credentials is circulating, automated bots scan half the internet for vulnerable devices within hours, regardless of company size. A small business is not too small a target, it is often the easier one.

Who is affected?

In focus is any organisation running a FortiGate with an internet-facing management or SSL-VPN interface, especially when administrator or VPN passwords are still stored as old salted SHA-256 hashes. In SMEs in particular, rotating credentials and enforcing MFA often gets left undone because no one is responsible. That delay is the real risk.

What you should do now

• Check whether Fortinet devices are in use, what firmware level they run and whether management or VPN interfaces are reachable from the internet.
• Rotate all administrator and VPN credentials immediately. With FortiBleed that is the central step, not patching.
• Enforce MFA for all administrative and VPN access.
• Update to a FortiOS version that uses PBKDF2 hashing, then sign in again with every admin account so the old SHA-256 hashes are actually replaced.
• Terminate active SSL-VPN and admin sessions and review logs retroactively for unauthorised logins and configuration changes.
• Never expose management interfaces to the internet, only over secured paths (internal IPs, out-of-band, VPN-only).

The real point: perimeter security is a process, not a one-off

FortiBleed shows an uncomfortable truth: a patch window is limited, the credential window is not. Whoever closes every CVE but does not rotate passwords or enforce MFA stays exposed. The decisive question is not whether the next incident comes, but whether your firewall is prepared for it. That only works if someone keeps an eye on the advisories, knows your devices and reliably handles updates, credential rotation and hardening, instead of letting them drown in day-to-day work.