CISA urges device hardening after thousands of Fortinet credentials compromised
CISA urges device hardening after thousands of Fortinet credentials compromised
Publish Date: 2026-06-22 12:04:00
Source Domain: www.cybersecuritydive.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
The Cybersecurity and Infrastructure Security Agency said hackers are targeting government and private sector organizations following the compromise of tens of thousands of Fortinet firewall and virtual private network credentials.
In a recent advisory, CISA urged security teams to take immediate steps to harden their Fortinet environments.
A database containing more than 86,600 confirmed credentials across 194 countries was created through automated scanning, exfiltrating configuration files and offline GPU-based password cracking, according to researchers from SOCRadar.
“The threat is significant because many organizations treat perimeter security appliances as trusted infrastructure,” said Ensar Seker, chief information security officer at SOCRadar. “If attackers obtain valid credentials for firewalls, VPN gateways or administrative interfaces, they can bypass many traditional security controls and gain direct access to internal environments.”
Security researcher Volodymyr “Bob” Diachenko last week posted about an exposed server containing the leaked credentials, and other researchers conducted follow-up activity to confirm the campaign.
Geopolitical risk
According to researchers, a Russian-speaking threat actor is linked to the campaign and has been targeting organizations linked to NATO. One of the compromised organizations includes a Turkish defense contractor that works with NATO, according to Diachenko.
Security researcher Kevin Beaumont and researchers at Hudson Rock were able to further validate the scope of the credential exposure.
Fortinet, in a blog post Friday, said it has been working with government authorities to investigate the credential leak and has begun notifying affected customers.
Fortinet and CISA recommend several steps to secure environments from potential compromise:
Terminate all administrative and VPN sessions and reset credentials.
Upgrade to the latest versions of FortiGate appliances.
Implement multifactor authentication across all administrator and VPN user accounts.
Check logs for unexpected administrator access, suspicious accounts or unauthorized configuration changes.
