A massive credential-compromise campaign dubbed “Fortibleed” has been found to expose tens of thousands of Fortinet devices worldwide, with researchers warning of persistent attacker access to affected enterprise environments.

The campaign was first flagged by security researcher Volodymyr Diachenko, who posted on LinkedIn about finding an attacker-controlled list of potentially working FortiGate passwords collected “through various means.”

Further details came from SOCRadar after its team independently discovered an operational server belonging to an unnamed threat actor. The server contained a list of stolen FortiGate passwords, tools, automation infrastructure, a victim list, and information pointing toward who could be behind the attack.

“Attribution is ongoing, but the operational fingerprints are clear,” SOCRadar researchers said in a blog post, adding that the tooling and targeting choices are consistent with Russian-speaking threat actors.

According to independent analyses by SOCRadar, Hudson Rock, and security researcher Kevin Beaumont, the threat actors systematically collected configuration files from internet-facing Fortinet FortiGate firewalls and used them to recover working administrator credentials. The initial access vector is presently unknown.

CEO of watchTowr Benjamin Harris said the campaign is consistent with what he has been seeing lately. “The uncomfortable reality is that modern exploitation isn’t always about immediate impact,” he said. “It’s about harvesting data that retains value long after the underlying vulnerability has been patched.”

These credentials were likely accumulated over time by exploiting many vulnerabilities affecting sensitive, externally facing Fortinet applications, he added.

Fortinet did not immediately respond to requests for comment.

Cracked Passwords, Global Reach

While SOCRadar initially reported that the dataset contained working login credentials for over 30,791 devices, further analysis by Beaumont and Hudson Rock placed the number of affected devices at 75,000 — approximately 50% of the total internet-facing Fortinet firewalls found on Shodan.

Researchers found affected devices across 194 countries, spanning more than 21,000 domains.

The dataset reportedly contains a mix of administrative and SSL VPN credentials recovered from compromised configuration files. Researchers said the operation is highly automated, allowing threat actors to collect, process, and crack credential material at a very large scale.

SOCRadar found the top affected countries to be India, the US, and Mexico, with just under 12,000 compromised credentials between them. A credential-type breakdown revealed organization-specific credentials to be most targeted, indicating a focus on enterprise environments.

Beaumont said the threat actors “can log in remotely and gain remote access to the firewall — and so the network.” They can also change settings, including security controls, and create backdoor users, he added.

Old Hashes, New Problems

Additional investigation into the campaign highlighted why some Fortinet deployments proved easier to crack than others.

Researchers noted that many affected systems stored administrator credentials using older hashing approaches that were significantly less resistant to offline password-cracking attacks than more recent implementations.

“Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism,” Arctic Wolf researchers explained in a blog post. “However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade.”

This means many organizations may continue to store admin credentials using older SHA-256 with Salt hashing mechanisms without realizing it, researchers noted.

Defenders Told to Assume Credential Exposure

Researchers urged organizations to assume that credentials contained in exposed FortiGate configuration files have been compromised and to immediately rotate affected administrative and VPN passwords.

Additional recommendations include enforcing multi-factor authentication (MFA), restricting internet access to management interfaces, and reviewing devices for signs of unauthorized access.

Upgrading to supported FortiOS versions and replacing weaker or reused passwords was also advised. “After upgrading FortiOS, require all administrators to log in to the firewall at least once: this will automatically set the encryption to PBKDF2,” the researchers said. Admin passwords can also be manually updated using a super_admin account.

This article originally appeared on CSO.