ACSC Issues Urgent Alerts on FortiBleed Threat as Fortinet Confirms Compromise of Over 30,000 Devices Globally

The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate, has raised alarms over a significant security breach affecting Fortinet Firewalls and VPN Gateways. This incident, termed “FortiBleed,” has implications for organizations worldwide, highlighting the urgent need for enhanced cybersecurity measures.

On June 18, the ACSC issued an initial alert detailing an ongoing malicious campaign targeting Fortinet devices. This campaign primarily exploits exposed credentials and credential-based attacks, which can lead to further compromises and the exposure of additional credentials. The alert followed an analysis by SOCRadar, which underscored the extensive nature of the threat.

Nature of the Threat

The ACSC has indicated that the exploitation of these credentials could provide malicious actors with remote access to compromised devices and their connected networks. Such access allows attackers to modify various settings, including critical security controls. SOCRadar reports that the adversaries involved in this campaign are believed to be Russian-speaking and have successfully compromised over 30,000 devices across 200 countries, including Australia.

Once a device is infiltrated, attackers can use it as a listening post to monitor traffic and capture any additional credentials that may pass through. This creates a self-perpetuating cycle, enabling further compromises. The password list utilized by the attackers is not arbitrary; it consists of credentials previously leaked from Fortinet devices during earlier incidents. Many targeted organizations may not have updated their passwords since those breaches, rendering them particularly vulnerable.

Ongoing Developments

On June 22, the ACSC reissued its alert in light of updated guidance from Fortinet, which was made public the previous week. The ACSC urged affected organizations to review Fortinet’s blog post and additional recommendations regarding the ongoing threat.

Fortinet’s Situational Analysis report, published on June 19, clarified that the current situation does not arise from a new vulnerability within Fortinet products. Instead, it involves the reuse of credentials compromised in two earlier incidents from December 2025 and January 2026. Fortinet has reiterated the importance of adhering to the remediation steps outlined in previous advisories.

Recommended Actions for Organizations

In response to the ongoing threat, Fortinet has outlined a set of six recommendations that organizations should implement immediately on any compromised devices:

1. Terminate all admin and VPN sessions and reset credentials: Organizations should terminate all active administrative sessions and reset all Fortinet VPN and administrative passwords, especially for internet-facing systems. Strong password policies must be enforced.
2. Implement Multi-Factor Authentication (MFA): MFA should be enabled for all administrator and VPN user accounts to bolster security.
3. Upgrade to the latest software versions: Organizations are advised to upgrade to the latest versions of Fortinet software (7.4, 7.6, or 8.0), which support PBKDF2 hashing of administrator credentials. Guidance should be followed to eliminate older legacy password settings.
4. Validate configuration: A thorough review of firewall and VPN configurations is necessary to identify unauthorized changes. Comparing configurations to a known good state is recommended, with particular attention to unrecognized accounts.
5. Check logs for suspicious activity: Organizations should monitor logs for unexpected administrator access from unknown IP addresses, as well as any signs of lateral movement or unauthorized configuration changes.
6. Reduce attack surface and lock down management access: External management access should be restricted to trusted hosts, implemented through a local-in policy, or ideally, removed altogether from internet administration.

Fortinet has also highlighted its FortiGuard Incident Response service, allowing customers to request investigations into their networks.

For further details on this ongoing situation, organizations are encouraged to consult the original reporting source. Source: cyberwarriorsmiddleeast.com.

For ongoing coverage and breaking updates, visit our Latest News section.

Published on 2026-06-22 08:05:00 • By the Editorial Desk