Act now! ACSC releases multiple critical alerts over FortiBleed, as Fortinet releases situational analysis report

“Leveraging these credentials could enable malicious actor’s remote access to the devices and connected networks, as well as allow changes to various settings, including security controls.”

According to SOCRadar, the adversary appears to be Russian-speaking and to date, has compromised more than 30,000 devices in 200 countries, including Australia.

“Once a device is compromised, they use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by. Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself,” SOCRadar said in a blog post.

“The password list is not random. It is a carefully assembled collection of credentials leaked from Fortinet devices in earlier incidents, meaning many targets may have never changed their passwords after a prior breach. The attackers know this, and they are counting on it.”

The ACSC reissued its original alert today, on 22 June, following the release of updated advice from Fortinet, which was published late last week.

“Fortinet have released a blog post and additional guidance regarding this activity,” the ACSC said.

VIEW ALL

“Affected organisations should review and monitor Fortinet’s post.”

Fortinet’s situational analysis report, published 19 June, explains that while this is not based on any new Fortinet vulnerability, the company does believe it involves the reuse of credentials compromised in two previous incidents, dating back to December 2025 and January 2026.

“Fortinet provided detailed guidance at the time of these advisories and we continue to strongly encourage all customers to ensure these remediation steps have been completed,” Fortinet said.

“Upon identifying the incident, we immediately began an investigation, including collaborating with relevant government agencies.”

Fortinet said it is in the process of contacting customers impacted by the campaign and shared six recommendations that should be immediately implemented on compromised devices:

1. Terminate all admin and VPN sessions and reset credentials. Terminate all active administrative sessions. Reset all Fortinet VPN and administrative passwords, especially on internet-facing systems, and enforce strong password policies.
2. Implement MFA on all administrator and VPN user accounts.
3. Upgrade to latest versions of 7.4, 7.6 or 8.0. These versions support PBKDF2 hashing of administrator credentials. Follow the guidance to remove older legacy password settings via set login-lockout-upon-weaker-encryption.
4. Validate configuration. Review firewall and VPN users and other configuration for unauthorised changes. Preferably compare to a known good configuration. Pay particular attention to the addition of unrecognised accounts, such as “forticloud, fortiuser, fortinet-support, fortinet-tech-support” etc.
5. Check your logs. Look for unexpected administrator access from an unknown IP and domain controller logs for lateral movement, unusual access, suspicious accounts or unauthorised configuration changes.
6. Reduce your attack surface and lock down management access. Restrict external management of your devices via trusted hosts (good), a local-in policy (better), or remove internet administration altogether (best).

The company also shared details of its FortiGuard Incident Response service, which customers can use to request an investigation into their network.

“Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency,” Fortinet said.

“We are continuing to investigate this situation and taking actionable steps with the security of our customers as our top priority. Our response and mitigation efforts remain ongoing.”