Global Fortinet breach exposes admin credentials for 74,000 firewalls

A sweeping compromise of Fortinet firewall devices has exposed plaintext administrative credentials for nearly 74,000 systems spanning 194 countries, researchers revealed this week. The breach, attributed to Russian-speaking threat actors, granted near-unrestricted access to some of the world’s largest organizations, including Oracle, Chevron, Lenovo, FedEx, a NATO defense contractor, and even Fortinet itself. Security researcher Bob Diachenko, who uncovered the exposure, noted that the leaked data included plaintext credentials alongside organizational details such as industry classification, revenue, and employee counts.

A breach of unprecedented scale

The scope of this incident is staggering. According to Diachenko’s findings, the attackers gained access to the credentials by infiltrating their command-and-control infrastructure. Independent researcher Kevin Beaumont later confirmed that as of Wednesday morning, "almost all" of the compromised devices remained exposed online. Beaumont independently verified the authenticity of the credentials with multiple organizations listed in the attackers’ logs, confirming they were both real and current. Shockingly, the number of affected devices represents roughly half of all internet-facing Fortinet firewalls, based on Shodan’s global polling data.

Once threat actors breached these firewalls, they frequently exploited the access to penetrate deeper into corporate networks. In numerous cases, the compromised devices became a gateway to centralized authentication systems, including Radius servers and Microsoft Active Directory environments. This lateral movement allowed attackers to escalate privileges and potentially move undetected through sensitive internal systems.

Operational security failures amplify the crisis

The breach underscores severe operational security lapses within Fortinet’s ecosystem and the organizations relying on its devices. Beaumont’s analysis revealed that many compromised firewalls were left exposed to the public internet, a configuration that directly facilitated the credential cracking process. The attackers’ ability to extract and weaponize plaintext passwords—rather than relying on encrypted credentials—points to either inherent weaknesses in Fortinet’s storage mechanisms or misconfigurations by end users.

Fortinet has not yet issued a public statement addressing the breach’s methodology or the specific vulnerabilities exploited. However, the company’s track record with previous high-profile incidents, including the 2022 FortiOS SSL-VPN zero-day flaw, raises questions about its preparedness for such large-scale attacks. Organizations using Fortinet devices are now racing to audit their infrastructure, rotate credentials, and implement stricter network segmentation to mitigate potential fallout.

What comes next for affected organizations

The long-term implications of this breach remain unclear, but security experts warn that the damage could extend far beyond the initial credential exposure. Threat actors may have already established persistent footholds within compromised networks, leveraging the firewalls as a springboard for further attacks. The inclusion of sensitive details like revenue and employee counts in the leaked data suggests the attackers may be compiling dossiers for targeted espionage or extortion campaigns.

For now, affected organizations face a daunting task: identifying every compromised device, revoking exposed credentials, and conducting forensic analyses to determine if deeper compromise has occurred. Regulatory scrutiny is likely to intensify, particularly for entities operating in highly regulated sectors such as energy, defense, and finance. As the dust settles, this incident may serve as a cautionary tale about the dangers of over-reliance on perimeter defenses and the critical importance of credential management in modern cybersecurity strategies.