Introduction

Summary

The National Cyber Coordination and Command Centre (NC4) is aware of recent reports regarding a large-scale exposure of credentials associated with Fortinet FortiGate firewalls and SSL VPN services, commonly referred to as “FortiBleed”.

According to cybersecurity researchers, credentials linked to tens of thousands of Fortinet devices may have been exposed. Some reports further suggest that portions of the credential data were subjected to offline password-cracking efforts, potentially resulting in the recovery of plaintext credentials. The affected devices are reportedly associated with organisations across multiple sectors, including government, telecommunications, financial services, healthcare, education, and critical infrastructure.

Based on available information, NC4 assesses that the activity is more likely related to the exposure and misuse of valid credentials than the exploitation of a newly disclosed Fortinet vulnerability. While the source of the credential data and the method by which it was obtained have not been publicly confirmed, the reported exposure highlights the importance of reviewing existing access controls and authentication practices.

This advisory is issued to support awareness and risk mitigation efforts. It should not be interpreted as confirmation that all identified devices have been compromised, nor does it indicate the discovery of a new Fortinet vulnerability.

Organisations operating internet-facing Fortinet devices are encouraged to review their exposure and strengthen security controls, particularly where management interfaces are accessible from the internet or multi-factor authentication (MFA) is not enforced.

Severity: High

Disclaimer

This advisory is based on publicly available information at the time of publication. Organisations are encouraged to monitor vendor guidance and take appropriate action to manage any identified risks.

Impact

Potential Impact

The abuse of valid credentials could allow threat actors to gain unauthorised access to Fortinet management interfaces or VPN services, potentially leading to further compromise of internal systems and information.

System Affected

Potentially Affected Systems

The following systems may be at increased risk:

• Fortinet FortiGate firewalls with management interfaces accessible from the internet
• Fortinet SSL VPN deployments exposed to external networks
• Environments that do not enforce MFA for administrative or remote access accounts
• Systems using weak, reused, or previously compromised credentials

Recommendation

Recommended Actions

Organisations using Fortinet devices should review the following recommendations and prioritise the actions most relevant to their environment and level of exposure.

1. Rotate all administrative, VPN, and privileged account credentials as a precautionary measure.
2. Enforce MFA for all administrative and remote access accounts.
3. Restrict access to FortiGate management interfaces to trusted networks, management VPNs, or approved IP address ranges wherever possible.
4. Upgrade devices to the latest supported FortiOS version and apply relevant security updates.
5. Following a FortiOS upgrade, ensure administrators log in to the device, as this may be required for updated password protection measures to take effect.
6. Review FortiGate administrative logs, VPN authentication logs, and configuration change records for signs of suspicious activity, including unauthorised logins, newly created administrator accounts, or unexpected configuration changes.
7. Conduct a security review or compromise assessment where suspicious activity is identified.

Reporting

All Malaysian NCII entities and organisations that identify suspicious activity or suspected compromise involving Fortinet devices are advised to report the matter to NC4 in accordance with applicable reporting obligations and established national cybersecurity coordination procedures.

References

Arctic Wolf – Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries    https://arcticwolf.com/resources/blog/active-fortibleed-campaign-impacting-fortinet-devices-across-194-countries/

BleepingComputer – FortiBleed Leak Exposes Fortinet VPN Credentials for 73,000 Devices    https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/

Dark Reading – Sweeping Credential Harvesting Heist Compromises Fortinet Devices    https://www.darkreading.com/cyberattacks-data-breaches/sweeping-credential-harvesting-heist-compromises-30k-fortinet-devices

Fortinet PSIRT – Security Advisories and Product Security Updates    https://www.fortiguard.com/psirt