A Massive Credential-Harvesting Campaign Is Targeting Fortinet Devices Worldwide
A sweeping and highly coordinated cyber espionage campaign has sent shockwaves through the global cybersecurity community. Threat actors are actively targeting Fortinet networking devices across nearly 200 countries, and they have already compiled a working list of credentials for more than 30,000 compromised systems. The scale of this attack is staggering — and the implications for businesses, government agencies, and critical infrastructure operators are severe.
This is not a theoretical threat. Attackers already possess validated, working credentials for a vast number of compromised Fortinet devices, meaning unauthorized access to affected networks could be exploited at any moment. Security teams around the world are being urged to act immediately.
What Is Credential Harvesting and Why Does It Matter?
Credential harvesting is a cyberattack technique in which malicious actors steal usernames, passwords, and authentication tokens — often in bulk — to gain unauthorized access to systems, applications, and networks. Unlike a simple brute-force attack, credential harvesting is precise and efficient. Once attackers have a verified list of working credentials, they can log in to affected systems as though they are legitimate users, making detection exceptionally difficult.
In the context of Fortinet devices — which include firewalls, VPN gateways, and network access controllers deployed across enterprise and government environments — stolen credentials represent the keys to an organization's entire network perimeter. The attacker who holds those keys can intercept traffic, move laterally through internal systems, exfiltrate sensitive data, or deploy ransomware at a time of their choosing.
The Scope of the Attack: Nearly 200 Countries Affected
What makes this particular campaign so alarming is its extraordinary geographic breadth. Victims have been identified across nearly 200 countries, spanning virtually every sector of the global economy. Financial institutions, healthcare organizations, government bodies, telecommunications providers, and manufacturing companies are all reportedly among those targeted.
The near-universal reach of this campaign strongly suggests that the attackers were either exploiting a widely deployed vulnerability in Fortinet's product line or leveraging an automated scanning and exploitation tool capable of identifying exposed devices at internet scale. Either scenario points to a sophisticated, well-resourced threat actor — possibly a nation-state or a criminal group operating at an advanced persistent threat (APT) level.
How the Attack Likely Unfolded
While a full technical attribution is still being investigated, the attack pattern is consistent with the exploitation of known or zero-day vulnerabilities in Fortinet's FortiOS or FortiGate products. Fortinet devices are among the most widely deployed network security appliances in the world, making them an exceptionally high-value target for adversaries looking to compromise large numbers of organizations in a single campaign.
Initial Access and Exploitation
Attackers likely began by mass-scanning the internet for Fortinet devices running vulnerable firmware versions. Upon identifying exposed targets, they exploited the vulnerability to gain initial access — often without requiring any credentials at all. From there, they extracted stored credentials, session tokens, or configuration files that contained authentication data.
Compilation of a Working Credential List
Perhaps most chilling is the report that attackers have already validated and compiled a list of working credentials. This means they did not merely collect raw data — they actively tested the stolen credentials to confirm which ones grant access to live systems. The resulting database represents an immediately actionable offensive resource that could be deployed in follow-on attacks at any time.
Persistence and Lateral Movement
With verified credentials in hand, attackers can re-enter compromised networks even after initial vulnerabilities are patched, provided that passwords are not changed and sessions are not invalidated. They can also use these footholds for lateral movement — pivoting from the network perimeter into internal systems, cloud environments, and connected third-party services.
Which Sectors Are Most at Risk?
Given the cross-sector, cross-border nature of this campaign, virtually any organization using Fortinet devices should consider itself a potential target. However, certain sectors face heightened risk due to the sensitivity of the data they handle or the critical nature of their operations. These include government and defense agencies handling classified or sensitive information, financial services firms managing high-value transactions and client data, healthcare providers storing protected health information and operating life-critical systems, energy and utility operators whose compromise could affect public safety, and telecommunications providers whose networks carry vast amounts of private communications.
Organizations in these sectors should treat this threat as an active emergency rather than a hypothetical risk.
Immediate Steps Every Fortinet User Should Take
If your organization uses Fortinet devices of any kind — particularly FortiGate firewalls or FortiOS-based systems — the following actions should be treated as urgent priorities.
1. Patch All Fortinet Devices Immediately
Ensure that all Fortinet appliances are running the latest available firmware. Fortinet regularly releases security advisories and patches; any unpatched device is a potential entry point. Check the Fortinet Product Security Incident Response Team (PSIRT) advisories for the most current guidance relevant to your device models and firmware versions.
2. Rotate All Credentials Without Delay
Because attackers have already compiled a list of working credentials, patching alone is not sufficient. Every password, API key, and authentication token associated with your Fortinet devices must be rotated immediately. This includes VPN user accounts, administrative accounts, and any service accounts configured on affected appliances.
3. Audit Logs for Signs of Unauthorized Access
Review authentication and access logs on all Fortinet devices for anomalous activity, including logins from unexpected geographic locations, unusual access times, or unfamiliar IP addresses. Many organizations will find that attackers have already accessed their systems and may have taken steps to establish persistence.
4. Enable Multi-Factor Authentication
Multi-factor authentication (MFA) is one of the most effective defenses against credential theft. Even if an attacker possesses a valid username and password, MFA adds an additional layer of verification that significantly raises the bar for unauthorized access. If MFA is not already enabled on your Fortinet administrative interfaces and VPN portals, enabling it should be an immediate priority.
5. Segment Your Network
Network segmentation limits the blast radius of a successful intrusion. If an attacker gains access through a compromised Fortinet device, robust segmentation can prevent them from moving freely across your internal environment. Review your current segmentation policies and tighten them where necessary.
The Broader Cybersecurity Lesson
This incident is a stark reminder that network security appliances — the very devices organizations deploy to protect their perimeters — are themselves high-value targets. Attackers know that compromising a firewall or VPN gateway provides privileged access to everything behind it. As such, these devices must be managed with the same rigor and urgency as any other critical system in the environment.
Patch management, credential hygiene, multi-factor authentication, and continuous monitoring are not optional best practices — they are essential defenses in an era where threat actors operate at global scale and with remarkable efficiency. The 30,000-plus organizations already compromised in this campaign are a sobering testament to what happens when those defenses fall short.
Stay vigilant, act fast, and treat every unpatched device as an open door. In today's threat landscape, it very well may be.