FortiBleed — 75k Fortinet firewalls have admin passwords crackedAn interesting post popped up on LinkedIn at the weekend from Voldymyr Diachenko saying plain text passwords were found in the wild by Hunt Intelligence Inc for Fortinet firewalls:This is similar to the Belsen Group incident, which I revealed last year:2022 zero day was used to raid Fortigate firewall configs. Somebody just released them.I’ve had a look at the data, with the help of the folks at Hudson Rock, and can confirm:The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data.The data appears to have come from exports of config from the devices, as it includes things which are only visible from the device itself.The IP addresses are largely different to the Belsen Group leak, which was 15k devices. It includes mostly devices not in the Belsen Group leak, and in this case most of the devices are still online — this isn’t data from 2022.I have worked with several orgs listed, and can confirm the logins and passwords are real. Many of the devices sampled are on fairly recent patches.The data comprises of roughly 50% of all Fortinet firewall devices facing the internet, based on polling from Shodan.In a majority of cases, the Fortigate Management Interface is exposed to the internet on impacted devices.What could attackers do this this information?They can log in remotely and gain remote access to the firewall — and so the network. They can also change settings, including security controls and make backdoor users.How did this happen?It is currently unclear. With the Belsen Group incident, a 2022 zero day was used to dump the configs, with the data published much later in 2025.With this, it is unclear how the configs were exported or devices accessed. It may be from one of the many, many known CVEs for Fortinet firewalls — or it may be a new vulnerability — keep tuned for updates.Fortinet tried to harden the storage of admin credentials in early 2025, after my prior blog:You’ll note the move to PBKDF2 storage of credentials. This happened in recent firmware updates applied during the past 12 or so months — and only if admins each logged in after applying the updates.As such, many devices would have have storing credentials in SHA-256 with Salt — which is vulnerable to bruteforce to gain passwords from stolen config files.What orgs should do?Check you are impacted. Do that here: https://www.hudsonrock.com/fortinetEnter your domain name(s). If you are impacted:rotate admin credentials immediately and look for prior logins to said usersif you see suspect success logins to admin users, I would suggest replacing the device as they may have altered settings to backdoor a deviceupgrade to the latest FortiOS release, and have admins log back in to change passwordsdo not expose the FortiOS management interface to the internet unless absolutely necessaryimplement multi-factor authentication on all admin usersassume compromise. It is unclear where Hunt Intelligence obtained the data from and how long it has been in circulation, however it is formatted in a way which looks like an eCrime gang — e.g. it lists the type of company, their revenue and country. This is a very common format in eCrime circles when selling initial access information.UpdatesYou can follow me on Mastodon if you wish (to suffer, I guess):Kevin Beaumont (@[email protected])FortiBleed — 75k Fortinet firewalls have admin passwords cracked was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.