A cybersecurity campaign has compromised thousands of Fortinet firewall and VPN devices globally. Security researcher Bob Diachenko discovered a server containing usernames, email addresses, and plaintext passwords for 73,932 firewall URLs.

The discovered database included credential entries affecting organizations such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, State Grid, and Fortinet. Hudson Rock reported that its dataset contained 73,932 unique firewall URLs across 194 countries, impacting 21,632 unique domains, and identified Accenture, Foxconn, Lenovo, Oracle, Siemens, and PwC as also affected. SOCRadar reported that more than 30,000 Fortinet devices were compromised.

Cybersecurity researcher Kevin Beaumont confirmed that the dataset contains credentials for approximately 75,000 Fortinet devices, with most devices remaining online. Beaumont stated that the credential data appeared to have originated from exported Fortinet configurations. Diachenko claimed that threat actors conducted approximately 1.16 billion credential attempts against 320,777 FortiGate targets, and intercepted SSL VPN authentication hashes, which were then cracked using a 45-GPU cluster.

The campaign utilizes automated scanning and lists of previously known passwords instead of exploiting new device vulnerabilities. SOCRadar reported that compromised devices are used to monitor network traffic and harvest additional credentials for further compromise.

Bob Diachenko posted, "Massive Fortinet/FortiGate bruteforce/active exploitation campaign uncovered in action. Thousands of top vendors instances are listed in the files like this. This one alone has 21,634 domain names - from Chevron to Fortinet itself." Kevin Beaumont stated, "I have been able to confirm the authenticity of some of the admin logins and passwords - this looks like a real dump."

Tiffany Curci, a Fortinet spokesperson, said, "Fortinet is aware of a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways." Fortinet also stated that the compromised data results from reshared information from previous incidents and credential brute-forcing, not a new software vulnerability. SOCRadar wrote that once a device is compromised, hackers use it as a listening post, monitoring traffic passing through and collecting additional credentials. Those collected passwords are then fed back into scanners to compromise more devices.