ACSC Issues Urgent Alerts on FortiBleed Threat as Fortinet Confirms Compromise of 30,000 Devices Worldwide

The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate, has issued critical alerts regarding a significant security breach affecting Fortinet Firewalls and VPN Gateways. This incident, referred to as “FortiBleed,” has raised alarms due to its extensive reach and the potential implications for organizations globally.

The ACSC’s initial alert, released on June 18, highlighted the ongoing malicious campaign targeting Fortinet devices. This campaign primarily exploits exposed credentials and credential-based attacks, which can lead to further compromises and the exposure of additional credentials. The alert followed an analysis by SOCRadar, which indicated the scale of the threat.

Nature of the Threat

The ACSC emphasized that the exploitation of these credentials could grant malicious actors remote access to compromised devices and connected networks. This access allows attackers to modify various settings, including critical security controls. According to SOCRadar, the adversaries behind this campaign are believed to be Russian-speaking and have successfully compromised over 30,000 devices across 200 countries, including Australia.

Once a device is infiltrated, attackers utilize it as a listening post to monitor traffic and capture any additional credentials that may pass through. This self-perpetuating cycle enables them to compromise even more devices. The password list employed by the attackers is not random; it consists of credentials previously leaked from Fortinet devices during earlier incidents. Many targeted organizations may not have updated their passwords since those breaches, making them particularly vulnerable.

Ongoing Developments

On June 22, the ACSC reissued its alert in light of updated guidance from Fortinet, which was made public the previous week. The ACSC urged affected organizations to review Fortinet’s blog post and additional recommendations regarding the ongoing threat.

Fortinet’s Situational Analysis report, published on June 19, clarified that the current situation does not stem from a new vulnerability within Fortinet products. Instead, it involves the reuse of credentials compromised in two earlier incidents from December 2025 and January 2026. Fortinet has reiterated the importance of following the remediation steps outlined in previous advisories.

Recommended Actions for Organizations

In response to the ongoing threat, Fortinet has shared a set of six recommendations that organizations should implement immediately on any compromised devices:

1. Terminate all admin and VPN sessions and reset credentials: Organizations should terminate all active administrative sessions and reset all Fortinet VPN and administrative passwords, particularly for internet-facing systems. Strong password policies must be enforced.

2. Implement Multi-Factor Authentication (MFA): MFA should be enabled for all administrator and VPN user accounts to enhance security.

3. Upgrade to the latest software versions: Organizations are advised to upgrade to the latest versions of Fortinet software (7.4, 7.6, or 8.0), which support PBKDF2 hashing of administrator credentials. Guidance should be followed to remove older legacy password settings.

4. Validate configuration: A thorough review of firewall and VPN configurations is necessary to identify unauthorized changes. Comparing configurations to a known good state is recommended, with particular attention to unrecognized accounts.

5. Check logs for suspicious activity: Organizations should monitor logs for unexpected administrator access from unknown IP addresses, as well as any signs of lateral movement or unauthorized configuration changes.

6. Reduce attack surface and lock down management access: External management access should be restricted to trusted hosts, implemented through a local-in policy, or ideally, removed altogether from internet administration.

Fortinet has also highlighted its FortiGuard Incident Response service, which allows customers to request investigations into their networks.

Conclusion

Fortinet has committed to a thorough investigation of the incident and is collaborating with relevant government agencies. The company has emphasized its dedication to customer security and transparency throughout this process. As the situation evolves, organizations are urged to remain vigilant and proactive in implementing the recommended security measures to mitigate risks associated with the FortiBleed threat.

For further details on this ongoing situation and to access Fortinet’s guidance, organizations can refer to the report published on June 19. Source: www.cyberdaily.au.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.