A large-scale credential-theft campaign has compromised approximately 75,000 Fortinet firewall devices, exfiltrating stored passwords. The attack exploits exposed management interfaces or known vulnerabilities to harvest credentials at scale. This poses a significant risk to organisations using FortiGate appliances, particularly those with internet-facing management planes.

Security Architect’s Take: Immediately rotate all credentials associated with affected Fortinet devices, including VPN accounts, local admin accounts, and any downstream systems that share those credentials. Audit your FortiGate estate for internet-exposed management interfaces and restrict access to trusted IP ranges via firewall policy or a jump host.

Original advisory: Massive password-stealing attack hits 75k Fortinet firewalls