Overview
- Security researcher Volodymyr “Bob” Diachenko discovered an exposed server that held tens of thousands of Fortinet admin and SSL VPN credentials, a dataset first publicized on June 19.
- Multiple independent firms have verified the data and report a working set that ranges from roughly 74,000 to more than 86,000 internet-facing FortiGate devices across many countries and sectors.
- Analysts say the attackers mass-scanned Fortinet endpoints, used automated credential‑spraying and brute‑force tools to intercept SSL VPN hashes, then cracked and verified passwords with GPU clusters.
- CISA has issued an emergency alert telling organizations to terminate SSL VPN and admin sessions, reset all affected passwords, enable phishing-resistant MFA, upgrade FortiOS to PBKDF2 hashing, and lock management interfaces to trusted IPs.
- Fortinet disputes that the leak reflects a new product flaw and says the data may include reshared or brute‑forced credentials, but researchers warn many exposed devices remain online and at high risk of network compromise.