Reported activity linked to FortiGate devices highlights the importance of checking for unauthorised configuration exports, reviewing privileged accounts and rotating exposed credentials. Concerns around the so-called "FortiBleed" activity have continued to grow after researchers and incident responders reported signs that some FortiGate devices may have been accessed more recently than initially believed.
Concerns around the so-called "FortiBleed" activity have continued to grow after researchers and incident responders reported signs that some FortiGate devices may have been accessed more recently than initially believed.
While public reporting on the incident has varied, the broader message for organisations is clear: a firewall compromise does not always end when a vulnerability is patched. If an attacker previously gained access, exported a configuration or created a hidden administrative account, the risk may remain long after the original entry point has been closed.
For organisations using FortiGate firewalls, this is a reminder to treat older incidents, leaked credentials and unusual device activity as potential security issues that still deserve investigation.
Why the Situation Has Raised Concern
Some researchers assisting affected organisations have reported evidence of unauthorised activity involving FortiGate devices. This reportedly includes configuration exports, suspicious logins and attempts to gain access to credentials stored within firewall configuration files.
A firewall configuration can contain highly valuable information for an attacker. Depending on how the device is configured, it may reveal VPN settings, user accounts, network ranges, firewall rules, remote-access services and encrypted password data.
Even where passwords are not immediately readable, attackers may attempt to crack weak or reused credentials offline using large-scale computing resources. This creates a more serious risk because credentials obtained from one device may also be reused across VPNs, internal systems, cloud services or third-party platforms.
The key issue is not only whether a device was exposed in the past. It is whether that access may still be useful today.
Why Configuration Exports Matter
A configuration export is not always malicious. Administrators may back up or download firewall settings during routine maintenance, migration work or troubleshooting.
However, an unexpected export should be treated seriously, especially when it is linked to an unfamiliar account, unusual source location or a time when no authorised maintenance was taking place.
A copied configuration can give an attacker a detailed map of the environment. It may help them understand how employees connect remotely, which services are exposed to the internet, how site-to-site VPNs are structured and where internal network access may be possible.
This is why security teams should review firewall logs for unusual configuration-related events and confirm that all exports were expected and authorised.
The Risk Goes Beyond One Firewall
A compromised firewall can become more than just an isolated infrastructure issue.
If attackers obtain VPN credentials or gain control of an administrative account, they may be able to move deeper into the organisation. This could include access to internal applications, shared folders, servers, identity systems or remote desktop services.
Managed service providers, telecommunications companies and organisations responsible for multiple customer networks may face an even higher level of exposure. A single compromised management platform or VPN gateway could potentially create risk across several connected environments.
This is also why organisations should not only look at their own firewall. They should ask whether key suppliers, outsourced IT providers or connectivity partners use similar devices to access their systems.
What Organisations Should Review Immediately
Any organisation using FortiGate devices should review its environment with an assumption that older access paths, dormant accounts or exposed credentials may still exist.
Priority checks should include:
• Reviewing administrator accounts and removing any that are no longer required.
• Ensuring every privileged account has multi-factor authentication enabled.
• Checking firewall and system logs for unexpected configuration exports, unfamiliar logins or abnormal remote-access behaviour.
• Reviewing firewall rules for unauthorised changes, especially newly opened remote-management, SSH or RDP access.
• Rotating VPN credentials, site-to-site VPN secrets, certificates and administrator passwords where exposure is suspected.
• Confirming that devices are running the latest supported firmware version.
• Replacing end-of-life devices that can no longer receive security updates.
• Checking for signs of unauthorised accounts, suspicious API access or unexpected changes to configuration settings.
Where there is strong evidence that a firewall has been compromised, rebuilding the device from a known-good configuration may be safer than trying to clean it in place.
Why Strong Authentication Still Matters
One recurring lesson from incidents involving VPNs and perimeter devices is that many organisations still rely too heavily on passwords alone.
Even strong passwords can become a problem if they are reused, exposed in an earlier breach or stored inside a configuration file that later falls into the wrong hands.
Multi-factor authentication adds an important extra layer. It does not solve every security problem, but it can significantly reduce the chances that a stolen password alone will provide an attacker with access.
This is especially important for administrative accounts, VPN portals, cloud dashboards and remote-management systems.
On-Demand Computing Has Changed the Threat Landscape
The rise of cloud-based computing has made high-performance processing far more accessible than before.
Tasks that once required specialist hardware, a dedicated server room or large IT budgets can now be rented online within minutes. This has benefits for research, software development and artificial intelligence, but it also gives criminals access to computing power that can be misused for password cracking and other malicious activity.
For defenders, the lesson is simple: passwords should never be the only line of defence. Organisations need layered controls, including MFA, monitoring, device hardening, regular patching and strong incident response procedures.
The Need for Better Threat Intelligence Sharing
Cybersecurity incidents are often investigated by a mix of vendors, researchers, threat intelligence firms, hosting providers and affected organisations.
However, the information needed to protect others is sometimes fragmented across private reports, restricted platforms or separate research blogs. This can make it harder for smaller organisations to quickly understand whether they may be affected.
Public, responsibly shared threat intelligence can help defenders act earlier. Clear guidance from vendors, national cybersecurity agencies, researchers and industry groups is especially valuable when an incident involves widely used technologies such as firewalls and VPN gateways.
The most useful information is not sensational. It is practical: what to check, how to recognise suspicious activity, what credentials should be rotated and when an organisation should escalate to a full incident-response investigation.
Final Thoughts
The reported FortiBleed activity is another reminder that perimeter devices deserve the same level of attention as servers, cloud services and employee endpoints.
A firewall is often the front door to an organisation's network. If its configuration, credentials or administrative access have been exposed, the consequences can extend far beyond one device.
Organisations should focus on the basics that remain highly effective: patch supported devices quickly, remove unused accounts, enable MFA, review logs, rotate credentials after suspected exposure and investigate unexpected configuration changes without delay.
Comments