Mission

FortiBleed VPN Leak: Check Your Firewall in 10 Min

by Oscar Six Security
FortiBleed VPN Leak: Check Your Firewall in 10 Min

If you're running a FortiGate appliance at your office or for a client, stop what you're doing and read this.

Security researchers have confirmed that attackers have harvested working credentials from more than 30,000 Fortinet devices spanning nearly 200 countries — and the heist is still active. According to Security News, the sweeping credential-harvesting campaign has compromised tens of thousands of FortiGate VPN devices, compiling valid usernames, passwords, and session tokens into databases that are now circulating in threat actor communities.

This isn't a theoretical future risk. The credentials are already out there. The question is whether yours are among them.

What Is FortiBleed, Exactly?

FortiBleed refers to a series of vulnerabilities — most notably CVE-2018-13379 and related flaws — in Fortinet's SSL-VPN that allowed unauthenticated attackers to read system files, including the sslvpn_websession file containing plaintext credentials. Even though patches have existed for years, a massive number of devices were never updated.

The result: attackers ran automated scans, collected credentials from every unpatched device they could find, and compiled a credential database that researchers have now confirmed includes 73,000+ entries. Many of those credentials are still valid today because the underlying accounts were never reset.

This is the firewall equivalent of leaving your master key under the front doormat — and someone already made a copy.

Who Is Actually at Risk?

You're at elevated risk if any of the following are true:

  • You run a FortiGate firewall with SSL-VPN enabled
  • Your device was running FortiOS 6.0.x through 6.4.x before patching
  • You haven't rotated VPN credentials in the last 12–18 months
  • You don't have MFA enforced on VPN logins
  • You're a government contractor using FortiGate for remote access

Small businesses and MSPs managing multiple client FortiGate devices are particularly exposed because they often use shared admin credentials or delay patching cycles to avoid disruption.

Step 1: Check If Your Device Is on the Leaked List

Hudson Rock, a threat intelligence firm, published a free lookup tool that lets you check whether your IP address appears in the FortiBleed credential dump. Here's how to use it:

  1. Find your FortiGate's public-facing IP address (check your ISP router, firewall WAN interface, or run curl ifconfig.me from behind the device)
  2. Visit the Hudson Rock lookup tool and enter your IP
  3. If your IP returns a hit, treat your VPN credentials as fully compromised — immediately

If you manage multiple clients, run every public IP you're responsible for. Don't assume a clean result means you're safe — the database may not be complete, and other credential dumps exist.

Step 2: Force Credential Rotation — Right Now

Whether or not your IP shows up in the lookup, if you haven't rotated credentials since 2022, do it today. Here's the minimum you need to do:

  • Reset all VPN user passwords — every single account with SSL-VPN access
  • Reset the admin password on the FortiGate management interface
  • Revoke and reissue any API tokens or service account credentials tied to the device
  • Check for unknown admin accounts — attackers sometimes create backdoor accounts before you notice the breach

To audit admin accounts on FortiOS, navigate to System > Administrators and verify every account is legitimate. Any account you don't recognize should be deleted immediately and treated as an indicator of compromise.

Step 3: Patch FortiOS — Even If You Think You Already Did

Fortinet has released patches for these vulnerabilities multiple times, but many devices are still running vulnerable firmware versions. Log into your FortiGate and check:

  • Go to Dashboard > Status and note your FortiOS version
  • Cross-reference against Fortinet's current security advisories
  • If you're below FortiOS 7.4.x, you should be planning an upgrade path immediately

Don't just patch and move on. After patching, rotate credentials again — patching closes the door but doesn't change the locks that were already copied.

Step 4: Enable MFA on VPN Access

This should have been in place already, but if it isn't, this incident is your forcing function. FortiGate supports TOTP-based MFA natively through FortiToken, and it also integrates with RADIUS-based MFA solutions. Even if credentials get leaked in a future incident, MFA means they're not immediately usable.

We've written about the tradeoffs between different MFA methods in our passkeys vs SMS MFA vs authenticator apps guide — the short version is that any MFA is better than none, but app-based TOTP is the minimum bar you should be hitting for VPN access.

Step 5: Review VPN Logs for Signs of Unauthorized Access

If your credentials were in the dump, you need to know whether they were actually used. In FortiGate:

  • Go to Log & Report > VPN Events
  • Filter for successful authentications over the last 6–12 months
  • Look for logins from unexpected countries, unusual times, or unfamiliar source IPs
  • Cross-reference with your known user base — any login that doesn't match a real employee is a red flag

If you find suspicious logins, treat this as an active incident. Isolate affected systems, change all internal credentials (not just VPN), and consider engaging an incident response professional. We also covered what happens when an employee account gets breached in our social engineering breach guide — many of the same containment steps apply here.

The Bigger Picture: Your Firewall Is a Target, Not Just a Tool

FortiBleed is a reminder that your perimeter security device is itself an attack surface. Attackers don't just try to get through your firewall — they try to get into it. As we covered in our post on firewall vendor breach lessons from the SonicWall lawsuit, even enterprise-grade vendors have serious vulnerabilities, and small businesses are often the last to patch because they lack the monitoring to know when they're exposed.

Running a FortiGate without continuous external monitoring is like locking your front door and never checking whether someone changed the lock.

Quick Remediation Checklist

  • [ ] Run your public IP through the Hudson Rock FortiBleed lookup tool
  • [ ] Reset all VPN user passwords immediately
  • [ ] Reset FortiGate admin credentials
  • [ ] Audit admin accounts for unauthorized entries
  • [ ] Verify FortiOS is on a current, patched version
  • [ ] Enable MFA for all VPN users
  • [ ] Review VPN authentication logs for suspicious activity
  • [ ] Document what you found and when you acted (important for CMMC and cyber insurance purposes)

Take Action: Don't Wait for the Next Leak

FortiBleed exposed a hard truth: most small businesses and IT admins don't know their external attack surface is compromised until it's too late. Proactive scanning catches exposed services, vulnerable firmware versions, and credential risks before attackers do — not after.

Oscar Six Security's Radar gives you an external vulnerability scan of your infrastructure for $99. It's built for small businesses and IT admins who need real answers without enterprise-level complexity or pricing. If you manage FortiGate devices for clients, it's one of the fastest ways to identify which environments need immediate attention.

Focus Forward. We've Got Your Six.

Run a Radar scan today →

Frequently Asked Questions

How do I check if my Fortinet VPN credentials were leaked in FortiBleed?

Hudson Rock published a free IP lookup tool that lets you check whether your FortiGate's public IP address appears in the FortiBleed credential dump. Enter your device's WAN IP and check the results. Even if your IP doesn't appear, you should still rotate credentials and patch FortiOS as a precaution.

What versions of FortiOS are vulnerable to the FortiBleed credential leak?

The primary vulnerability (CVE-2018-13379) affects FortiOS 6.0.x through 6.4.x running SSL-VPN. Devices that were not patched in 2019–2021 are most likely to have had credentials harvested. You should upgrade to FortiOS 7.4.x or later and rotate all credentials regardless of your current version.

Do I need to replace my FortiGate firewall after a credential leak?

Not necessarily — but you do need to patch, rotate all credentials, enable MFA, and audit for unauthorized admin accounts. If you find evidence of unauthorized access in your VPN logs, you may need to treat the device as fully compromised and consider a factory reset before redeployment. Oscar Six Security's Radar scan can help identify whether your device has other outstanding vulnerabilities before you make that call.

How much does a vulnerability scan for a FortiGate firewall cost?

Oscar Six Security offers Radar, an external vulnerability scan that covers your full internet-facing attack surface including firewall services, for $99 per scan. It's designed for small businesses and IT admins who need actionable results without enterprise pricing. You can learn more at oscarsixsecurityllc.com/#solutions.

What should I do immediately after finding my FortiGate IP in the FortiBleed leak?

Treat all VPN credentials as fully compromised: reset every VPN user password, reset the admin password, audit for unauthorized admin accounts, and review VPN logs for suspicious logins. Then patch FortiOS to the latest version and enable MFA before bringing VPN access back online. Document every action you take — this record matters for cyber insurance claims and CMMC compliance.

Step-by-Step Guide

  1. Find your FortiGate's public IP

    Log into your FortiGate dashboard or check your ISP router to identify the WAN-facing IP address. You can also run `curl ifconfig.me` from a device behind the firewall.

  2. Run the Hudson Rock FortiBleed lookup

    Visit the Hudson Rock free lookup tool and enter your public IP address to check whether it appears in the FortiBleed credential database. Run this for every public IP you manage.

  3. Reset all VPN and admin credentials

    Immediately reset passwords for every SSL-VPN user account and the FortiGate admin interface. Revoke any API tokens or service account credentials associated with the device.

  4. Audit admin accounts for backdoors

    Navigate to System > Administrators in FortiOS and verify every account is legitimate. Delete any account you do not recognize and treat its presence as an indicator of compromise.

  5. Patch FortiOS to a current version

    Check your FortiOS version under Dashboard > Status and compare it against Fortinet's current advisories. Upgrade to FortiOS 7.4.x or later if you have not already done so.

  6. Enable MFA for VPN access

    Configure FortiToken or a RADIUS-based MFA solution for all SSL-VPN users. MFA ensures that leaked credentials alone are not sufficient for attackers to gain access.

  7. Review VPN logs for unauthorized access

    Go to Log & Report > VPN Events and filter for successful authentications over the past 6–12 months. Flag any logins from unexpected countries, unusual hours, or unfamiliar IP addresses for investigation.

Related Articles

Mission

FortiGate Credential Leak: SMB Firewall Next Steps

 Mission

EOL Server Risk: When Delaying Costs More Than Upgrading

 Mission

Vendor Installed Pirated Software: Risks & What To Do
← Back to Home