How do I know if my FortiGate credentials were leaked?

Check your FortiOS firmware version against Fortinet's PSIRT advisories to see if your device ran a vulnerable version during the exposure window. Security researchers have also published IP-based lookup tools where you can search whether your device appeared in the FortiBleed leaked credential database. Regardless of lookup results, rotate all VPN credentials immediately if you ran any affected firmware version.

Should I replace my FortiGate firewall after the FortiBleed leak?

Not necessarily — every major firewall vendor has had serious vulnerabilities, and switching platforms doesn't fix the underlying issues of patch lag and poor credential hygiene that made FortiBleed so damaging. You should replace your FortiGate if your specific model is end-of-life and no longer receiving patches, or if your team can't keep up with the patch cadence. Otherwise, focus on patching, rotating credentials, and enabling MFA.

What is the FortiBleed vulnerability?

FortiBleed refers to a credential-harvesting campaign that exploited path traversal vulnerabilities in Fortinet's FortiOS, allowing attackers to read the sslvpn_websession file and extract VPN credentials without authentication. Security News reported in June 2026 that over 30,000 devices across nearly 200 countries had credentials successfully harvested and compiled into a database circulating in underground forums. Affected organizations should patch immediately and rotate all VPN credentials.

What firewall should a small business use instead of FortiGate?

There is no universally safe alternative — SonicWall, Palo Alto, Cisco, and WatchGuard have all had significant CVEs and security incidents. The better question is which firewall your team can patch consistently and manage securely, since patch lag is the primary reason credential leaks like FortiBleed cause so much damage. If you're evaluating options, prioritize vendors with strong auto-update capabilities and a clear patch communication process.

How much does a vulnerability scan cost for a small business?

Vulnerability scans for small businesses typically range from $99 for automated perimeter scans to several thousand dollars for manual penetration testing engagements. Oscar Six Security's Radar offers SMB-focused vulnerability scanning at $99 per scan, giving you visibility into exposed services and misconfigurations without an enterprise-level contract. For most small businesses, starting with a regular automated scan is the right first step before investing in deeper testing.

FortiGate Credential Leak: SMB Firewall Next Steps

If you run a FortiGate firewall at your small business, this is not a drill.

According to Security News (June 17, 2026), attackers have already compiled working credentials from more than 30,000 compromised Fortinet devices spanning nearly 200 countries in what researchers are calling the FortiBleed credential-harvesting campaign. This isn't a theoretical vulnerability sitting in a CVE database — it's an active, compiled list of stolen usernames and passwords that attackers are using right now.

If your FortiGate is on that list, someone may already have the keys to your network.

What Actually Happened (The Short Version)

The FortiBleed incident stems from a path traversal vulnerability (CVE-2022-40684 being one of the most cited, though attackers have chained multiple Fortinet CVEs over the past few years) that allowed unauthenticated attackers to read system files — including the sslvpn_websession file, which stores session tokens and, in many cases, plaintext credentials.

The result: a mass credential harvesting event where threat actors quietly scraped VPN credentials from tens of thousands of devices before most organizations even knew a patch existed. The credentials were then compiled into a searchable database that has since circulated in underground forums.

The critical detail for SMBs: Many of the affected devices were running outdated firmware. But some were not. The window between patch release and patch application is exactly where attackers operate.

Step 1: Check Your Exposure Right Now

Before you do anything else, determine whether your device is or was vulnerable.

Identify your firmware version. Log into your FortiGate admin console and check your current FortiOS version. Fortinet's advisories list specific affected versions — any device that ran a vulnerable version between the exposure window is potentially compromised, even if you've since patched.
Check Fortinet's PSIRT advisories. Go to Fortinet's Product Security Incident Response Team (PSIRT) page and search for CVEs affecting your specific model and firmware version.
Search breach databases. Security researchers have published tools and lookup services where you can check whether your device's IP appeared in the leaked credential lists. Search for "FortiBleed IP checker" — several reputable researchers have published lookup tools.
Review your VPN logs. Look for authentication events from unusual IP addresses, especially successful logins at odd hours or from geographies where you have no employees or partners.

Step 2: Immediate Remediation (Don't Skip Any of These)

Even if you're not sure you were compromised, treat this as if you were. The cost of over-responding is low. The cost of under-responding can be catastrophic — as we've covered in our post on ransomware liability and the legal risk small businesses face.

Patch immediately. If you haven't applied the latest FortiOS updates, do it now. Fortinet has released patches for all known exploitation vectors in this campaign.
Rotate every VPN credential. Every single one. Assume all credentials that existed on the device during the vulnerable window are burned.
Revoke and reissue SSL-VPN certificates if your deployment uses certificate-based auth.
Force password resets for all VPN users. Don't ask — require it.
Enable MFA on VPN access if you haven't already. This is non-negotiable going forward. We break down the best MFA options for small businesses in our passkeys vs SMS MFA vs authenticator apps comparison.
Audit active sessions. Kill all existing VPN sessions and require fresh authentication after the credential rotation.
Check for persistence. Attackers who had valid credentials may have created backdoor admin accounts or modified firewall rules. Audit your admin user list and all firewall policies.

Step 3: The Honest Firewall Decision

Here's where it gets uncomfortable: should this change your next firewall purchase decision?

The honest answer is: maybe, but not for the reasons you might think.

FortiGate is not uniquely bad. SonicWall has faced its own serious vulnerabilities and even a lawsuit over its handling of a breach — we covered that in detail in our SonicWall firewall vendor breach and lawsuit breakdown. Palo Alto, Cisco, and WatchGuard have all had significant CVEs. No enterprise firewall vendor has a clean record.

What the FortiBleed incident actually reveals is a systemic problem that affects every SMB running any perimeter security device:

Patch lag kills you. The vulnerability existed. The patch was released. The breach happened in the gap. If your patch management process takes weeks or months, the vendor doesn't matter.
Credential hygiene matters more than brand. If your VPN credentials are weak, shared, or never rotated, any breach of any device is catastrophic.
You need visibility into what's exposed. Most SMBs running FortiGate devices had no idea their credentials were sitting in a leaked database until researchers published the story.

When switching firewalls makes sense: - Your FortiGate is end-of-life and Fortinet has stopped issuing patches for your model - Your IT resources can't keep up with Fortinet's patch cadence - You're moving to a fully cloud-managed architecture where a different vendor's ecosystem fits better

When switching firewalls is the wrong move: - You're reacting emotionally to a headline without a plan - You'd be jumping to a vendor with an equally problematic patch history - Your real problem is patch management and credential hygiene, which follows you to any platform

What This Means for CMMC Contractors

If you're a government contractor working toward CMMC Level 1 compliance, a credential leak of this nature has direct implications. CMMC Level 1 requires access control (AC.1.001, AC.1.002) and identification and authentication (IA.1.076, IA.1.077) practices. Compromised VPN credentials that provide access to systems processing Federal Contract Information (FCI) is a compliance event, not just a security event. Document your remediation steps and timeline.

The Bigger Lesson

The FortiBleed campaign is a reminder that perimeter security is necessary but not sufficient. Your firewall is one layer. If that layer is breached — through a zero-day, a credential leak, or a misconfiguration — you need to know about it before an attacker does.

That means continuous visibility into what's exposed on your network, not a once-a-year assessment.

Take Action: Know Before Attackers Do

The FortiBleed incident exposed tens of thousands of businesses because they didn't know their credentials were compromised until it was too late. Proactive scanning catches misconfigurations, exposed services, and credential risks before they become breach reports.

Oscar Six Security's Radar gives SMBs and IT admins continuous vulnerability visibility for $99/scan — no enterprise contract, no six-figure retainer. You get a clear picture of what's exposed on your network perimeter so you can fix it before someone else finds it first.

Focus Forward. We've Got Your Six.