The sweeping, ongoing breach relies heavily on recycled passwords and structural oversights rather than sophisticated new software flaws, exposing the vulnerabilities of basic corporate digital hygiene.
A widespread and ongoing cyber-espionage campaign has compromised tens of thousands of corporate firewalls and virtual private networks worldwide, exposing the perimeter defenses of major multinational corporations and government agencies.
The assault, dubbed “FortiBleed” by cybersecurity researchers, has compromised an estimated 75,000 devices. Rather than exploiting a sophisticated, previously unknown software vulnerability, the attackers are relying on a more rudimentary flaw in corporate discipline: the failure of organizations to change default passwords or rotate credentials exposed in prior data breaches.
Using automated scanning tools to sweep the internet for exposed Fortinet gateways, an industry leader in network security, the hackers have systematically attempted to log in using expansive registries of previously leaked credentials.
Once inside, the cybercriminals turn the security hardware against its owners.
“Once a device is compromised, they use it as a listening post, monitoring traffic passing through and collecting any additional credentials that flow by,” researchers at the cybersecurity firm SOCRadar noted in an analysis published this week. “Those freshly collected passwords are then fed back into the scanner to compromise even more devices. The system feeds itself.”
A spokesperson for Fortinet, Tiffany Curci, said the company is aware of a “third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways.” The company’s internal analysis indicated that the threat activity involves a “resharing of data from previous incidents, as well as brute-forcing of credentials, and is not related to any recent incident or advisory.”
Also Read: How Network-as-a-Service Can Drive Sustainable IT
Independent evaluations of the data, however, underscore a breach of staggering scale. Hudson Rock, a threat intelligence firm that analyzed the dataset, reported finding evidence of more than 73,000 unique compromised Fortinet internet addresses across 194 countries, affecting more than 21,000 distinct corporate domains. Kevin Beaumont, an independent cybersecurity researcher who reviewed the telemetry, confirmed the findings, noting that roughly half of all internet-accessible Fortinet firewalls globally appear to be compromised.
According to Hudson Rock, the list of affected entities spans critical infrastructure, technology providers, and blue-chip consultancies, including Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC.
A spokesperson for Lenovo acknowledged a request for comment but did not offer a statement. The remaining corporations did not immediately respond to inquiries.
While the campaign has achieved a global footprint, the highest concentrations of compromised hardware are located in India, the United States, Taiwan, and Mexico. The primary economic sectors targeted include information technology services, telecommunications, and construction materials. Government institutions have also been identified among the victims.
The campaign was first detected over the weekend by the security researcher Volodymyr Diachenko, who uncovered an exposed operational server belonging to the attackers. Analysts tracking the infrastructure noted that the digital fingerprints and language choices within the configuration files point to a Russian-speaking cybercriminal syndicate.
Also Read: Who Pays When Payment Fraud Slips Through?
The FortiBleed campaign represents a tactical shift from prior operations targeting perimeter defense hardware. While state-sponsored actors and sophisticated ransomware groups frequently rely on complex “zero-day” exploits to breach corporate networks, the operators behind this campaign have demonstrated that simple automated persistence can yield comparable results. By leveraging stale credentials, the group has quietly built a sprawling network of access points into some of the world’s largest corporate balance sheets.
