Back to Blog

86,000 Business Firewalls Got Compromised Last Week. The Attackers Didn’t Need a Zero-Day.

Thursday, CISA put out an urgent alert telling Fortinet customers to lock down their FortiGate firewalls immediately.[1] The reason: a campaign researchers have named FortiBleed has quietly compromised over 86,600 FortiGate devices across 194 countries, building a verified database of working credentials pulled from real business networks.[2] Samsung, AT&T, Mercedes-Benz, Chevron, Comcast, Toyota. Government agencies. Healthcare networks. Small and mid-sized businesses nobody has ever heard of.

The attack didn’t require a software vulnerability. No unpatched flaw, no zero-day. The attackers just tried passwords until they got in.

What FortiBleed Actually Does

The campaign works in a few stages. First, automated scanners sweep the internet for internet-facing FortiGate firewalls and SSL VPN gateways. Once found, the scanner runs a curated list of known credentials against each device. Generic admin accounts and built-in Fortinet system accounts made up more than 60% of what was compromised.[3] Those are default passwords, or passwords so common they might as well be defaults.

Here’s where it gets worse. Once attackers had access to a firewall, they didn’t just steal the config and move on. They used the compromised devices as listening posts, passively monitoring SSL VPN traffic flowing through them. That means they collected additional credentials from employees logging in through the company VPN. Those new credentials got fed back into the scanner to compromise even more devices.[4] The thing was self-fueling.

By the time CISA issued its alert Thursday, the attackers had built a database with confirmed working logins for tens of thousands of business networks. That database has value beyond the original targets. It gets sold, traded, or used to launch follow-on attacks.

This Isn’t Just a Fortinet Problem

I want to be clear about something: FortiGate is a legitimate, widely-used product. A lot of small businesses run it, and many MSPs deploy it. The issue here isn’t the firewall. The issue is default and weak credentials on network hardware, and that problem exists on every brand.

Most business owners think about passwords on their computers and email accounts. Those are obvious. But the router your ISP installed has default admin credentials. So does the managed switch in your server closet. The firewall your IT company set up three years ago might still have a generic admin password if nobody changed it. The business-grade Wi-Fi access point on the ceiling? Same story.

These devices sit on the edge of your network. They control what comes in and what goes out. If an attacker owns your firewall, they own your network. They see everything.

FortiBleed is a reminder that attackers don’t always need sophisticated tools. Sometimes they just need a list of default passwords and enough time to try them all. Automated scanning means “enough time” is about ten minutes.

What You Should Do Right Now

If you’re running FortiGate, CISA is explicit: terminate all active SSL VPN sessions immediately, reset every Fortinet VPN and admin password, and verify no unauthorized accounts were created.[1] Do not wait on this one. The database of compromised credentials is already out there.

More broadly, this is a good forcing function to audit all the network devices on your business network. Here’s what to look at:

Change every default password. Every router, switch, firewall, access point, and VPN gateway should have a strong, unique admin password. Not the one printed on the label. Not “admin/admin.” A real one.

Don’t expose admin interfaces to the internet. Management consoles for network devices should only be accessible from your internal network or through a secure management VLAN. If your firewall’s admin panel is reachable from any IP on the internet, that’s a problem to fix today.

Enable MFA where supported. Fortinet and most enterprise-grade network hardware now supports multi-factor authentication for admin access. If it’s available and you’re not using it, turn it on. A password list doesn’t help an attacker much when there’s a second factor they can’t get.

Keep firmware current. This attack didn’t use a known vulnerability, but many do. Outdated firmware on network hardware is one of the most overlooked gaps in small business security. Most of these devices can be set to check for and apply updates automatically.

The thing about FortiBleed that should stick with you is how undramatic it is. No nation-state exploit kit. No elaborate social engineering. Just a password list and a scanner running against every exposed device it can find. The businesses in that database of 86,000 didn’t lose because their security failed under sophisticated attack. They lost because nobody changed the default password.