FortiBleed is a useful reminder that perimeter devices are not just appliances to patch; they are identity choke points that can become long-term collection platforms when attackers control them.
Eclypsium’s analysis describes a multi-phase campaign affecting a large population of internet-facing FortiGate firewalls. The reported activity combines older Fortinet credential leaks, infostealer-sourced passwords, large-scale credential validation, offline hash cracking, rogue administrative access, and persistence techniques that may survive simple patch-and-reboot workflows.
What happened
According to Eclypsium, researchers observed exposed attacker infrastructure containing scanning scripts, credential-testing tooling, shell history, GPU cracking configuration, and a verified credential database organized in ways that resemble initial-access-broker tradecraft. The campaign reportedly draws from several sources at once:
- Historical Fortinet credential/configuration leaks tied to prior FortiOS exploitation.
- Infostealer logs containing valid firewall, VPN, or administrative credentials.
- Large-scale authentication attempts against exposed FortiGate and MSSQL services.
- Offline cracking of captured FortiGate authentication material.
- Post-compromise harvesting of internal authentication traffic traversing the firewall.
The important point is that this is not a single vulnerability story. It is a campaign story. The firewall becomes both the target and the sensor: once compromised, it can help attackers collect credentials that support the next phase of access.
Why this matters for SMBs and government contractors
Many small and mid-sized organizations treat firewalls, VPN gateways, and secure edge appliances as durable infrastructure: patch them, back up the configuration, and move on. That approach is no longer enough when the device sits at the boundary between the internet, remote access, identity services, and internal applications.
If an attacker controls the firewall, they may see VPN authentication, LDAP/RADIUS bind activity, service-account traffic, administrator logins, and routing relationships that defenders often assume are protected by the firewall itself. That makes edge-device compromise especially dangerous for organizations handling regulated data, contract information, CUI-adjacent workflows, or managed service access.
The defensive mistake: treating version as integrity
A clean version number does not prove a clean device. Patching closes known entry points, but it does not automatically remove rogue admin accounts, hidden persistence, harvested credentials, suspicious tunnels, altered configuration, or artifacts that live below the visibility of normal endpoint tooling.
That distinction matters because many security programs have decent vulnerability management but weak appliance integrity monitoring. EDR rarely runs on firewalls. Traditional scanners usually confirm software version and exposure, not whether the appliance was previously used as an attacker foothold.
Practical defensive takeaways
- Inventory by exposure. Identify every Fortinet appliance, especially any internet-facing management interface or SSL VPN service.
- Do not stop at patch status. Confirm whether the device shows signs of prior compromise, unexpected accounts, suspicious tunnels, unusual outbound connections, or persistence artifacts.
- Review administrative credentials. Rotate firewall admin accounts and any credentials that may have transited the device, including LDAP/RADIUS bind accounts and privileged service accounts.
- Audit configuration exports carefully. Look for legacy credential storage, unexpected local users, old VPN accounts, unapproved routes, and configuration drift from known-good baselines.
- Rebuild when compromise is suspected. If indicators are present, treat the firewall like an affected host: restore from trusted firmware and known-good configuration rather than assuming a firmware update cleaned it.
- Centralize appliance logging. Send management-plane, VPN, authentication, and configuration-change logs to a system attackers cannot modify from the firewall itself.
- Reduce edge blast radius. Restrict management access, require phishing-resistant MFA for administrators, segment VPN users, and limit what identity traffic must pass through exposed edge devices.
Bulwark Black assessment
FortiBleed is less about one vendor and more about a recurring pattern: edge infrastructure has become a preferred initial-access surface because it combines exposure, trust, and weak visibility. The organizations that recover well will be the ones that treat firewalls as security-critical systems with integrity requirements, not just network boxes with patch windows.
For defenders, the right question is not only “are we patched?” It is “if this appliance was already compromised, how would we know, what credentials would be exposed, and how fast could we rebuild it from a trusted state?”
Source: Eclypsium — FortiBleed: You Can’t Patch Your Way Out of This
