A breach exposing credentials for nearly 74,000 Fortinet firewalls—half of all internet-facing devices—has granted Russian-speaking attackers access to Oracle, Chevron, Lenovo, FedEx, and a NATO defense contractor, according to security researcher Bob Diachenko, who uncovered the data on attackers’ command servers. The exposed credentials, including plaintext admin passwords and Active Directory access, remain active on nearly all compromised devices, researchers confirm.
Why This Is Worse Than a Typical Credential Dump
This isn’t just another database leak. The attackers didn’t just steal credentials—they weaponized them. Independent researcher Kevin Beaumont confirmed that in many cases, threat actors escalated from compromised Fortinet firewalls to central authentication systems like Microsoft Active Directory and Radius servers. “The Fortinet VPN SSL VPN vulnerability (CVE-2024-23113) was patched in March, but the credentials were never rotated,” Beaumont said in an interview. “This is a textbook case of how unpatched hardware becomes a backdoor into enterprise networks.”
The scale alone is staggering: 194 countries, 21,000 unique IP addresses, and devices spanning industries from energy (Chevron) to defense (NATO contractors). But the real risk lies in the supply chain amplification. Fortinet’s firewalls aren’t just perimeter guards—they’re often the last line before critical infrastructure. A single compromised device can become a pivot point for lateral movement, as seen in recent attacks on CVE-2024-23113 exploits.
The Technical Flaw That Enabled This: How Fortinet’s VPN SSL VPN Became a Kill Chain
At the heart of the breach is CVE-2024-23113, a critical authentication bypass in Fortinet’s SSL VPN that was patched in March 2024. However, the exposed credentials suggest that many organizations failed to rotate them post-patch—a common oversight in large-scale deployments. “The issue isn’t just the unpatched software; it’s the assumption that credentials are static,” said Dr. Elena Dubrova, cybersecurity researcher at Chalmers University of Technology. “In enterprise environments, credentials often persist across firmware updates unless explicitly managed.”
What makes this breach distinct is the command-and-control infrastructure researchers found. Diachenko accessed logs showing attackers using the compromised credentials to:
- Enumerate internal networks via Fortinet’s CLI (Command Line Interface) APIs.
- Exfiltrate configuration files containing VPN client lists and internal IP ranges.
- Pivot to Active Directory via
ntlmrelayattacks, a technique documented in Impacket.
The attackers’ playbook mirrors tactics seen in APT29 (Cozy Bear) operations, though Diachenko notes the language used in the logs is Russian-speaking, not necessarily state-sponsored.
How This Breach Compares to Past Fortinet Attacks—and Why It’s Different
Fortinet has faced three major breach waves in the past two years, but this one stands out for its global scale and credential persistence:
| Breach | Vulnerability | Devices Exposed | Credential Persistence | Known Impact |
|---|---|---|---|---|
| 2023 FortiOS SSL-VPN (CVE-2022-40684) | Authentication bypass | ~50,000 | Unknown (no public logs) | APT groups, government targets |
| 2024 FortiGate VPN (CVE-2024-23113) | Authentication bypass | ~74,000 | Confirmed active credentials | Oracle, Chevron, NATO, FedEx |
| 2025 FortiAnalyzer (CVE-2025-XXXX) | RCE in web interface | ~12,000 (reported) | Partial (some rotated) | Financial sector |
The key difference? In 2023, credentials were likely rotated post-exploit. Here, they weren’t. “This suggests a systemic failure in credential hygiene across enterprises,” said Mark Stanislav, Director of Threat Intelligence at Tenable. “The fact that half of all internet-facing Fortinet devices are still vulnerable speaks to how deeply embedded these systems are—and how little incentive there is to replace them.”
What This Means for Enterprise IT: The 30-Second Verdict
For organizations using Fortinet:
- Rotate all VPN credentials immediately. The exposed hashes suggest many are still using default or weak passwords.
- Audit for lateral movement. Attackers are already probing Active Directory and Radius servers.
- Assume breach containment is impossible. The attackers have been active since at least March 2024.
- Evaluate Fortinet alternatives. Palo Alto Networks and Cisco ASA have seen increased adoption in critical infrastructure post-2023 breaches.
For cybersecurity teams, this breach underscores a painful truth: hardware supply chain risks are now as critical as software vulnerabilities. The Fortinet case is a microcosm of a larger trend—enterprises are increasingly targeted via embedded systems (firewalls, routers, IoT) rather than just servers or endpoints.
The Broader Implications: How This Breach Could Reshape Cybersecurity
This incident isn’t just about Fortinet—it’s a wake-up call for the entire network security industry. Three major shifts are already underway:
- The death of “set and forget” security. Fortinet’s SSL VPN has been a staple in enterprises for decades. Yet, as Dr. Dubrova notes, “The longer a system is in production, the harder it is to secure. This breach proves that even critical infrastructure can become a liability if not actively managed.”
- Credential hygiene as a compliance requirement. The NIST SP 800-63B guidelines on password management may soon face pressure to include hardware credential rotation protocols.
- The rise of “zero-trust firewalls”. Vendors like Palo Alto Networks and Cisco are pushing identity-aware firewalling, where credentials are tied to device posture rather than static hashes.
The Fortinet breach also highlights a geopolitical dimension. While the attackers are Russian-speaking, the targets span NATO, energy, and logistics—sectors often scrutinized in cyber conflicts. “This could be a case of opportunistic crime, but the scale suggests it might also be reconnaissance for larger operations,” said Stanislav. “The fact that they’re targeting Active Directory specifically is a red flag.”
What Happens Next: The Timeline for Patching and Fallout
Here’s the likely progression over the next 30 days:
- Week 1 (June 2026): Fortinet releases emergency patches for unpatched devices, but many enterprises will delay due to compatibility testing.
- Week 2-3: APT groups (likely Russian) will attempt to weaponize the exposed credentials for ransomware or espionage.
- Month 2: Regulators (e.g., CISA, GDPR) may issue mandates for credential rotation in critical infrastructure.
- Long-term: Enterprises will accelerate migration to zero-trust architectures, reducing reliance on single-vendor firewalls.
The most urgent action for affected organizations is credential rotation. Fortinet’s official guidance remains to apply the latest firmware and disable unused VPN services. However, as Beaumont warns, “Patching alone won’t fix this. The real fix is treating firewalls as high-value targets, not just network appliances.”
For the broader tech ecosystem, this breach is a reminder that cybersecurity is no longer about perimeter defense—it’s about assuming breach and containing lateral movement. The Fortinet case may accelerate the shift toward identity-aware networking, where credentials are ephemeral and tied to real-time device health checks.
The Bottom Line: Why This Breach Could Redefine Enterprise Security
This isn’t just another data leak. It’s a systemic failure—one that exposes the fragility of relying on static credentials in a world where attackers have persistent access to critical infrastructure. The fact that half of all internet-facing Fortinet devices were compromised suggests a cultural problem: enterprises treat hardware security as an afterthought.
The fallout will likely include:
- Stricter hardware credential rotation policies in compliance frameworks.
- A surge in zero-trust firewall adoption, reducing vendor lock-in.
- Increased scrutiny of supply chain risks in embedded systems.
For now, the best defense is assume compromise. If your organization uses Fortinet, treat this as a live attack—not a hypothetical threat.
