top of page
Search

FortiGate Devices in the Crosshairs: What Organizations Need to Know and Do Now

  • 4 hours ago
  • 3 min read

FortiGate Devices Under Increased Attack: What Organizations Need to Know


Over the past several months, Fortinet customers have faced a series of security incidents involving FortiGate firewalls. Recent campaigns have demonstrated how quickly threat actors can move from initial access to full administrative control of a device, often creating unauthorized accounts, modifying firewall configurations, and establishing persistent access before organizations realize they have been compromised.


These attacks are particularly concerning because firewalls sit at the edge of the network and often have visibility into critical business systems, VPN connections, and administrative services. When a firewall is compromised, attackers gain a powerful foothold that can enable broader network access and further compromise of internal systems.



What Has Been Happening?


Security researchers and incident response teams have observed multiple attack campaigns targeting FortiGate devices. In several cases, attackers successfully authenticated to devices, created new administrator accounts, altered VPN configurations, and exported firewall configurations containing sensitive network information.


More recently, a large-scale exposure of Fortinet-related credentials, commonly referred to as "FortiBleed," highlighted the risks associated with internet-exposed management interfaces and credentials that have been previously compromised or reused across systems.


Reports indicate that credentials associated with tens of thousands of devices were exposed, creating opportunities for credential-stuffing and unauthorized access attempts against organizations worldwide.



Why This Matters

A successful compromise of a firewall is rarely an isolated event.


Once administrative access is obtained, threat actors may:

  • Create hidden administrator accounts for persistence.

  • Modify security policies and firewall rules.

  • Alter VPN configurations to maintain remote access.

  • Export device configurations containing network intelligence.

  • Disable logging or security controls.

  • Use the firewall as a stepping stone to access internal systems.


Even organizations that have applied previous updates should review Fortinet's latest advisories and ensure their devices are running supported and fully patched versions. Recent incidents have shown that attackers continue to target vulnerable and misconfigured devices aggressively.



How Cybersift Is Monitoring the Threat


The Cybersift SOC continuously hunts for indicators associated with FortiGate compromise and unauthorized administrative activity.


As part of our monitoring and threat hunting processes, we actively investigate:

  • Successful administrator logins from unusual locations or sources.

  • Newly created administrative accounts.

  • Privilege escalation events.

  • Firewall configuration changes.

  • Suspicious authentication activity.

  • Anomalous access patterns involving management interfaces.


These activities are correlated with threat intelligence and behavioral analytics to identify potential compromise as early as possible and reduce attacker dwell time.



Cybersift Recommendations


Organizations using FortiGate appliances should take the following actions immediately:


1. Update FortiGate Devices

Ensure all FortiGate appliances are running the latest supported firmware and security updates. Review Fortinet advisories regularly and prioritize patches for internet-facing systems.

2. Rotate Administrative Credentials

Reset all administrative passwords, especially if devices have been internet-accessible or if there is any possibility credentials have been exposed. Avoid password reuse across systems.

3. Enforce Multi-Factor Authentication (MFA)

Require MFA for all administrative access, VPN access, and remote management services. MFA remains one of the most effective controls against credential-based attacks.

4. Remove Management Interfaces from Public Exposure

Administrative interfaces should never be directly exposed to the internet unless absolutely necessary. Restrict access to dedicated management networks, VPN connections, or trusted source IP addresses.

5. Audit Administrator Accounts

Review all local and SSO-based administrator accounts. Remove any accounts that are no longer required and investigate any accounts that were not intentionally created.

6. Review Recent Configuration Changes

Validate firewall rules, VPN settings, administrative permissions, and remote access configurations for unauthorized modifications.

7. Apply the Principle of Least Privilege

Limit the number of administrative accounts and ensure users only have the permissions required for their role.



Final Thoughts

The recent wave of Fortinet-related incidents serves as a reminder that perimeter security devices remain a high-value target for attackers. While vulnerabilities receive significant attention, many successful compromises still result from exposed management services, weak authentication controls, unpatched systems, and compromised credentials.


Organizations should treat their firewalls as critical assets, maintain a proactive patching and access-control strategy, and ensure that administrative activity is continuously monitored to detect signs of compromise before they escalate.

Cybersift continues to monitor this threat landscape closely, helping organizations identify suspicious activity, investigate potential indicators of compromise, and strengthen defensive controls before attackers can gain a foothold.


-Written by Stanislav Stoychev



bottom of page