Cybercriminals Allegedly Hacked Tens of Thousands of Fortinet Firewalls at Major Companies Worldwide
A large-scale cyberattack campaign is making waves across the global cybersecurity community. An alleged Russian-speaking group of cybercriminals is reportedly compromising tens of thousands of Fortinet firewalls and VPN devices deployed by major corporations around the world. What makes this incident particularly alarming is the attack vector: the hackers are exploiting previously known, unchanged passwords — a sobering reminder that even enterprise-grade security hardware is only as strong as the credentials protecting it.
This wave of intrusions highlights critical vulnerabilities in how organizations manage network security, credential hygiene, and patch compliance. If your organization uses Fortinet products, now is the time to act.
What We Know About the Fortinet Firewall Breach
According to reports, an alleged Russian-speaking cybercriminal group has been systematically targeting organizations that rely on Fortinet firewalls and virtual private networks (VPNs). The attackers appear to be leveraging previously exposed or default credentials — passwords that were either leaked in earlier data breaches, never changed from factory defaults, or simply never rotated after prior security incidents.
The scale of the campaign is significant. Tens of thousands of devices are believed to have been affected, spanning major enterprises across multiple industries and geographic regions. This is not a narrowly targeted espionage operation — it appears to be a broad, opportunistic sweep designed to maximize access to as many corporate networks as possible.
Fortinet firewalls and VPN appliances are widely deployed across Fortune 500 companies, financial institutions, healthcare networks, and government-adjacent organizations. A successful breach of these perimeter security devices can give attackers an initial foothold that leads to lateral movement, data exfiltration, ransomware deployment, or long-term espionage.
Why Previously Known Passwords Are Such a Dangerous Attack Vector
The use of previously known passwords as an attack method is not new — but it remains devastatingly effective. Credential-based attacks succeed for several compounding reasons.
- Password reuse: Many organizations reuse the same credentials across multiple systems and devices, meaning a single leaked password can unlock far more than just one entry point.
- Delayed credential rotation: When a data breach is disclosed, affected organizations do not always rotate all relevant credentials promptly or comprehensively. Months or even years later, those same passwords remain active on network devices like firewalls.
- Default credentials left unchanged: Enterprise network appliances are sometimes deployed with manufacturer default usernames and passwords that IT teams forget — or fail — to change during initial setup.
- Credential exposure from past incidents: Fortinet has experienced and disclosed several vulnerabilities in recent years, some of which involved credential exposure. Organizations that did not fully remediate those incidents may still have compromised credentials in use.
For a threat actor with access to a compiled database of leaked credentials — which are widely available on dark web forums — systematically scanning for Fortinet devices and attempting known passwords is a low-effort, high-reward strategy. Automated tools can probe thousands of devices in a matter of hours.
The Threat Actor Profile: Who Is Behind This Campaign?
The group responsible for this campaign has been described as allegedly Russian-speaking, though attribution in cybercrime cases is always complex and should be treated with appropriate caution until confirmed by authoritative investigators. Russian-speaking cybercriminal ecosystems have historically been associated with some of the most prolific ransomware gangs, data extortion operations, and access broker networks in the world.
Access brokers — cybercriminals who specialize in gaining initial access to corporate networks and selling that access to other threat actors — are a particular concern here. Even if the group conducting the initial intrusion has no immediate destructive intent, the compromised access to thousands of corporate firewalls represents an extraordinarily valuable commodity on criminal marketplaces. That access could subsequently be sold to ransomware operators, state-sponsored espionage groups, or other malicious actors.
This layered criminal ecosystem means that the downstream impact of this campaign could extend far beyond the initial breach, potentially affecting organizations for months or years after the initial compromise.
How to Protect Your Organization from Fortinet-Targeted Attacks
Whether or not your organization has already been affected, the following steps are essential for reducing your exposure and strengthening your network perimeter security posture.
- Audit and rotate all Fortinet credentials immediately: Review every administrative account, VPN user account, and service credential associated with your Fortinet infrastructure. Change all passwords to strong, unique values and ensure no default credentials remain in use.
- Enable multi-factor authentication (MFA): MFA is one of the single most effective controls against credential-based attacks. Even if a password is compromised, MFA significantly raises the bar for unauthorized access on Fortinet VPNs and management interfaces.
- Patch and update firmware: Ensure all Fortinet appliances are running the latest firmware versions. Several past Fortinet vulnerabilities have involved authentication bypasses and credential exposure, and unpatched devices remain at elevated risk.
- Review access logs for suspicious activity: Look for unusual login times, unfamiliar source IP addresses, repeated failed authentication attempts, or logins from unexpected geographic locations. These can all be indicators of unauthorized access or active probing.
- Restrict management interface exposure: Fortinet management interfaces and VPN portals should never be directly exposed to the open internet without strict access controls. Implement IP allowlisting where possible and use zero-trust network access principles.
- Cross-reference credentials against breach databases: Use tools such as Have I Been Pwned or enterprise-grade credential monitoring services to check whether any credentials associated with your Fortinet devices have been exposed in past data breaches.
The Bigger Picture: Why Perimeter Security Hygiene Has Never Mattered More
This campaign serves as a stark reminder that perimeter security devices — firewalls, VPNs, and network gateways — are high-value targets precisely because they sit at the boundary between the public internet and internal corporate infrastructure. Compromising a firewall does not just provide access to one system; it can provide access to everything behind it.
Over the past several years, Fortinet products have been repeatedly targeted by threat actors ranging from opportunistic criminals to nation-state hackers. The company has disclosed multiple critical vulnerabilities, including authentication bypasses and remote code execution flaws, some of which were actively exploited before patches were widely applied. This history makes ongoing vigilance around Fortinet environments especially important.
The security community has long emphasized that technology alone cannot protect an organization. The human and operational dimensions of security — credential management, patch discipline, access control policy, and incident response readiness — are just as critical as the hardware and software an organization deploys. This latest campaign proves that point painfully well.
Final Thoughts: Act Now, Not Later
The alleged compromise of tens of thousands of Fortinet firewalls is a wake-up call for IT and security teams worldwide. The attack method — leveraging previously known passwords — is straightforward, scalable, and entirely preventable with the right security hygiene in place. Organizations that act quickly to rotate credentials, enforce MFA, apply patches, and audit their Fortinet environments can significantly reduce their risk of being caught up in this or future campaigns targeting network perimeter devices.
Cybersecurity threats are not slowing down. The organizations that survive and thrive in this environment are those that treat security as an ongoing operational discipline rather than a one-time deployment. Do not wait for a breach notification to prompt action — start your Fortinet security review today.