Sweeping Credential-Harvesting Heist Compromises 30,000+ Fortinet Devices
A large-scale and highly coordinated cyberattack campaign is actively targeting Fortinet networking devices across the globe, with threat actors having already compiled a working list of stolen credentials from more than 30,000 compromised devices spanning nearly 200 countries. The scope of this credential-harvesting heist has alarmed cybersecurity professionals, government agencies, and enterprise IT teams alike — and the attack shows no signs of slowing down.
For organizations relying on Fortinet solutions for perimeter security, VPN access, and network management, this breach represents a critical and urgent threat. Understanding how the attack works, who is being targeted, and what defensive steps must be taken immediately is no longer optional — it is a matter of organizational survival.
What Is a Credential-Harvesting Attack?
Before diving into the specifics of this campaign, it helps to understand what credential harvesting actually means in practical terms. A credential-harvesting attack is a method by which malicious actors extract usernames, passwords, session tokens, or other authentication data from targeted systems. Unlike ransomware attacks that announce themselves loudly, credential-harvesting operations are often silent and designed to persist undetected for as long as possible.
Once attackers obtain valid credentials, they gain the ability to log in to systems as legitimate users — bypassing many traditional security controls without triggering obvious alarms. These stolen credentials can then be used directly for unauthorized access, sold on dark web marketplaces, or leveraged as a launchpad for deeper intrusions, including lateral movement across enterprise networks, data exfiltration, and ransomware deployment.
The Scale and Reach of the Fortinet Campaign
What makes this particular campaign so alarming is its sheer scale and geographic breadth. Attackers have already assembled a database of working credentials tied to more than 30,000 Fortinet devices, and the countries affected stretch across virtually every region of the world — nearly 200 in total. This is not a targeted strike against a single industry or nation; it is a sweeping, opportunistic operation designed to compromise as many vulnerable devices as possible.
Sectors impacted reportedly include financial services, healthcare, government, telecommunications, manufacturing, and critical infrastructure — essentially any organization using Fortinet hardware or software that has not applied the relevant patches or hardened its configuration. The attackers appear to be conducting ongoing reconnaissance and harvesting operations, meaning the list of compromised devices is actively growing.
How the Attackers Are Exploiting Fortinet Devices
Fortinet products — including FortiGate firewalls and FortiOS-powered devices — have been targeted in previous high-profile campaigns, and known vulnerabilities in these products have been catalogued and weaponized by threat actors for years. This current campaign appears to be exploiting unpatched or misconfigured devices, capitalizing on the unfortunate reality that many organizations delay applying security updates to production network equipment due to concerns about downtime or compatibility.
Once an attacker gains initial access to a vulnerable Fortinet device, they can extract configuration files, credentials stored in memory, session tokens, and VPN user data. In some documented attack chains, threat actors have used read-only access vulnerabilities to pull credentials without needing full administrative control — making detection significantly harder. Devices exposed directly to the internet, particularly those acting as VPN gateways, represent the highest-risk targets in this campaign.
Key Attack Vectors in This Campaign
- Exploitation of known FortiOS vulnerabilities: Several CVEs affecting Fortinet products have been publicly disclosed, and unpatched devices remain trivially exploitable by even modestly skilled attackers using publicly available proof-of-concept code.
- Misconfigured management interfaces: Devices with management portals exposed to the public internet without adequate access controls are a primary point of compromise.
- Credential stuffing and reuse: Previously leaked credentials from other breaches are being tested against Fortinet device login portals at scale.
- SSL-VPN exploitation: Fortinet SSL-VPN endpoints have historically been high-value targets, and this campaign is no exception, with attackers focusing heavily on harvesting VPN user credentials.
Why This Matters for Your Organization
The existence of a compiled, actively maintained database of working Fortinet credentials in the hands of threat actors is an extraordinarily dangerous situation. Once credentials are verified as functional, they can be deployed at any time — either by the original attackers or by secondary buyers on criminal marketplaces. An organization might have no idea its Fortinet device credentials were stolen months ago until the moment an attacker decides to act on them.
For regulated industries such as healthcare and finance, the downstream consequences extend well beyond operational disruption. A successful intrusion enabled by harvested Fortinet credentials could result in reportable data breaches, regulatory penalties, reputational damage, and — in worst-case scenarios — extended system outages affecting customers and critical services.
Immediate Steps Organizations Should Take
Given the active and ongoing nature of this campaign, organizations using Fortinet products must act without delay. The following defensive measures are strongly recommended by cybersecurity professionals and align with guidance from major security agencies.
Patch and Update Immediately
Ensure all Fortinet devices are running the latest available firmware and software versions. Fortinet regularly releases security patches addressing known vulnerabilities, and failing to apply them is the single most avoidable risk factor in campaigns like this one. Establish a routine patch management process specifically for network security appliances, which are often overlooked in standard patch cycles.
Audit and Rotate All Credentials
Assume that any Fortinet device credentials that have been in use for an extended period may already be compromised. Perform a full audit of all accounts with access to Fortinet management interfaces and VPN portals, and immediately rotate passwords across the board. Where possible, enforce multi-factor authentication (MFA) on all administrative and user-facing logins.
Restrict Management Interface Exposure
No Fortinet management interface should be accessible from the public internet without strict controls in place. Apply IP allowlisting, network segmentation, and jump-host architectures to ensure that only authorized personnel from approved locations can reach administrative portals. This single configuration change can eliminate a significant portion of the attack surface.
Review Logs for Indicators of Compromise
Examine authentication logs, VPN access records, and configuration change histories for any anomalies. Look for logins from unusual geographic locations, off-hours access attempts, unexpected configuration exports, or accounts that have not been used recently suddenly becoming active. Engage a threat intelligence partner if internal resources are insufficient for a thorough review.
Enable Threat Intelligence Feeds
Integrate threat intelligence feeds that specifically track indicators of compromise (IOCs) associated with Fortinet-targeting campaigns. Many security vendors and open-source communities are actively publishing IOCs tied to this ongoing operation, including malicious IP addresses, file hashes, and known attack signatures.
The Broader Lesson: Network Perimeter Devices Are High-Value Targets
This campaign is a stark reminder that network perimeter devices — firewalls, VPN gateways, and load balancers — are among the highest-value targets in any organization's infrastructure. Because they sit at the boundary between internal networks and the internet, a successful compromise of these devices grants attackers a privileged vantage point from which to observe, intercept, and manipulate enormous volumes of traffic and data.
The cybersecurity industry has long warned that perimeter devices deserve the same rigorous patch management, access control, and monitoring discipline applied to servers and endpoints. This Fortinet credential-harvesting campaign, affecting tens of thousands of devices across nearly every country on Earth, is perhaps the clearest illustration yet of what happens when those warnings go unheeded at scale.
Organizations of all sizes should treat this incident as a forcing function — an urgent mandate to audit their Fortinet deployments, apply outstanding patches, rotate credentials, and shore up access controls before their device ends up on the wrong list.