Researchers uncover large-scale compromise of Fortinet firewalls exposing enterprise credentials

Security researchers report that threat actors compromised nearly 74,000 Fortinet FortiGate devices across more than 21,000 IP addresses in 194 countries, exposing plaintext credentials for thousands of organizations. The affected entities include Oracle, Chevron, Lenovo, FedEx, a NATO defense contractor, and Fortinet itself, according to independent researcher Bob Diachenko and security firm Hudson Rock.

The attackers began by mass-scanning the internet for FortiGate remote login endpoints and then used a custom binary with 25,000 threads to spray endpoints with thousands of login and password combinations. Successful logins gave the actors a foothold inside targeted networks, where they proceeded to intercept and crack SSL VPN authentication hashes using a dedicated 45-GPU cluster managed via Hashtopolis.

Hudson Rock stated that the attackers employed a feedback-driven, 12-level recursive cracking system, feeding successful password guesses back into the process to generate more candidates. The technique combined custom dictionaries, keyboard patterns, and rules to iteratively refine password recovery.

Kevin Beaumont, an independent researcher, reported that almost all compromised devices remained online as of Wednesday morning and confirmed with multiple organizations that the exposed credentials were real and current. In many cases, the attackers moved laterally to compromise centralized authentication systems such as Radius servers and Microsoft Active Directory.

Diachenko and Hudson Rock urged Fortinet users to investigate their networks immediately for signs of compromise. Hudson Rock provided a search engine to help organizations identify affected domains. Researchers noted that the scale of the operation touched nearly every sector of the global economy, with top affected industries including IT services, construction materials, telecommunications, construction and engineering, industrial equipment, and financial services.

The compromised devices represent roughly half of all internet-facing Fortinet firewalls, based on polling from Shodan. The top countries with compromised devices included India, the US, Taiwan, Mexico, Turkey, and Thailand. Additional organizations listed in the attackers’ database included Foxconn, Samsung, Comcast, Siemens, PwC, and Accenture, as well as major government agencies and critical infrastructure providers.

Researchers emphasized that firewalls are frequent targets because they accept external connections and sit at the network perimeter with access to valuable internal resources. They warned that the exposed data had been accessible to cybercriminals and other threat actors, amplifying the risk of further exploitation.