{"id":40168,"date":"2026-06-18T11:17:18","date_gmt":"2026-06-18T09:17:18","guid":{"rendered":"https:\/\/borncity.com\/win\/?p=40168"},"modified":"2026-06-18T11:17:18","modified_gmt":"2026-06-18T09:17:18","slug":"fortibleed-administrator-passwords-compromised-on-74000-fortinet-firewalls","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2026\/06\/18\/fortibleed-administrator-passwords-compromised-on-74000-fortinet-firewalls\/","title":{"rendered":"FortiBleed: Administrator Passwords Compromised on 74,000 Fortinet Firewalls"},"content":{"rendered":"

\"Stop[German<\/a>]Operators of Fortinet products are at risk of having their instances compromised by attackers. This is because the passwords for administrator access to these instances have been cracked. Attackers can take control of the installations and manipulate them at will. This affects nearly 74,000 instances, as I have read, and is being discussed under the term \"FortiBleed.\" It seems that information on suspected vulnerabilities has been known and patched since weeks.<\/p>\n


\nFortinet Administrator Passwords extradicted<\/h2>\n

\"\"German blog reader Thomas H. reminded me yesterday that security researcher Kevin Beaumont had posted the article FortiBleed \u2014 75k Fortinet firewalls have admin passwords cracked<\/a> on Double Pulsar.<\/p>\n

\"FortiBleed\"<\/p>\n

Security researcher Voldymyr \"Bob\" Diachenko summed it up in a few words in the post above on LinkedIn over the weekend. There is a massive brute-force\/exploit campaign aimed at cracking administrator accounts on Fortinet devices. According to ArsTechnica<\/a>, attackers\u2014presumably Russian-speaking\u2014have managed to gain nearly unrestricted access to such devices via a massive security vulnerability in Fortinet firewalls.<\/p>\n

ArsTechnica reports that nearly 74,000 Fortinet devices from more than 21,000 IP addresses in 194 countries have been compromised, and their login credentials have been exposed online in plain text. ArsTechnica also cites Bob Diachenko, a security researcher and head of SecurityDiscovery.com, as well as his post and online interview. Kevin Beaumont even cites nearly 75,000 affected devices, noting that the data is genuine and up-to-date. Nearly all of these Fortinet firewalls are still online.<\/p>\n

Diachenko claims to have found the data after gaining access to the attackers' command-and-control server and other infrastructure. The data presumably comes from configuration exports of the devices, as it contains information that is only visible on the device itself. It is currently unclear to me how the data could have been exported\u2014a security vulnerability is suspected.<\/p>\n

According to Diachenko, the disclosed data also included the industry, revenue, and number of employees for each compromised company. Some of the world's largest and most influential companies are affected, including Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor, and Fortinet itself.<\/p>\n

Companies are advised to patch their Fortigate products and scan their networks for signs of compromise. Hudson Rock has made this search engine<\/a> available to identify affected domains. It currently lists just under 74,000 affected systems.<\/p>\n

There are three security vulnerabilities<\/h2>\n

I came across the following tweet<\/a> and the linked article Three critical Fortinet sandbox bugs splattered by unknown attackers<\/a> from The Register.<\/p>\n

\"Fortinet-Schwachstellen\"<\/a><\/p>\n

According to the threat intelligence firm Defused, there are a total of three critical vulnerabilities in Fortinet's sandbox. These are currently being actively exploited.<\/p>\n

Fortinet had already patched the two vulnerabilities, CVE-2026-39813<\/a> and CVE-2026-39808<\/a>, back in April 2026. The third vulnerability, CVE-2026-25089<\/a>, was fixed last week. These vulnerabilities allow attackers to bypass authentication, elevate privileges, and execute malicious code, and have been assigned a CVSS score of 9.1. When the vulnerabilities were disclosed, Fortinet stated that no exploitation was known. That now appears to have changed drastically.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Operators of Fortinet products are at risk of having their instances compromised by attackers. This is because the passwords for administrator access to these instances have been cracked. Attackers can take control of the installations and manipulate them at will. … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[448,580,1547],"tags":[701,69,1544],"class_list":["post-40168","post","type-post","status-publish","format-standard","hentry","category-devices","category-security","category-software","tag-device","tag-security","tag-software"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/40168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=40168"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/40168\/revisions"}],"predecessor-version":[{"id":40169,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/40168\/revisions\/40169"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=40168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=40168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=40168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}