Fortinet VPN Credentials Leaked

Fortinet continues to have a bad day with hackers leaking VPN creds and configurations for more than 15k Fortigate Devices.

While this leak has been reported to be from 2022, it still leaked SENSITIVE information allows attackers to gain unauthorized access to networks.

And we are all aware of the newest addition of the FortiOS and FortiProxy Authentication Bypass a couple days ago causing every security practitioner to scream: TAKE YOUR MANAGEMENT INTERFACES OFFLINE, STOP EXPOSING YOURSELF.

This is a huge risk for us and an attractive opportunity for threat actors as they often target these management interfaces to exploit vulnerabilities or brute-force accounts.

After scanning our customer base at Blackpoint Cyber, we didn’t find any compromised devices, however, we were able to identify 100 management interfaces exposed directly to the internet in our base.

Take action now:

Take management interfaces offline: These should never be exposed to the public internet. Use VPNs or other secure access methods. (this is the big one… let’s all say it together now)

Check for unusual logins or activity: Review your logs for signs of compromise.

Reset passwords: Ensure VPN and admin credentials are rotated and implement strong password policies.

Update firmware: Make sure your devices are running the latest patched versions to protect against known vulnerabilities.

Enable MFA: Add an extra layer of security wherever possible.

This is yet again another reminder in the world of vulnerabilities and 0-days that any critical system exposed to the internet is like leaving our front door wide open.

Call to Action: Check your infrastructure, secure your management interfaces, communicate the information with your teams and customers for prevention, and continue to monitor critical systems for potential targeting.

Relevant Links:

BleepingComputer

Kevin Beaumont

I don’t understand why IT people are still exposing a firewall admin interface to the Internet in 2025, especially when it’s a Fortinet firewall.

That clinches it. I’m switching to Huawei.

MFA shouldn’t be considered an extra layer of security and more, it should be the standard. Basic username/password should be regarded the same as Admin/password or Admin/Admin was 20 years ago.

Corporate advertisements by shill accounts on Reddit make me lose trust in a company and guarantee I will never use their services. Well done.

The recent Fortinet issues have raised serious concerns, but the narrative around “restricting admin access to the appliances” as the primary solution makes my blood boil. Blaming the admins isn’t the answer, and frankly, it’s not helpful for the industry. Vendors and the cybersecurity industry need to do better.

Why shouldn’t I be able to trust my security product? If the takeaway is that we can’t have any management interfaces exposed to the internet, that’s a failure on the vendor’s part. Yes, attack surface management is critical, but this message completely misses the mark.

Vendors can and should take proactive steps—and frankly, I believe they are liable if they haven’t. For instance, restricting shell access unless there’s a clear, escalated need can significantly reduce the attack surface for issues that will inevitably arise. Vendors can also automate patch management and security updates, but many still don’t. And hard-coded credentials? Those should never be a thing.

Fortinet, the worlds leading insecurity company

We took on a customer recently that had locally-managed firewalls that had the management interface exposed to the internet (we replaced them).

When we subsequently reviewed the customer domain DNS we found that they had also previously been exposing the server management interfaces to the Internet too. They had been so lazy, they were pointing records in the customers domain to these risks.

I always wonder why the previous ‘MSP’ thought these things would be acceptable, but then I remember that there is no barrier of entry to this industry and not all IT providers consider cyber security or network infrastructure to be core competency areas.

While there will always be a vendor vulnerability or exploit tomorrow, we can all work to reduce attack surfaces today.

If any of those vpn credentials are still valid 3 years later and there is no mfa for them, anyone affected by that part of the leak gets what they deserve.

Public IPs leaking should also not be particularly concerning if people are using their FortiGates properly.

The config knowledge could be used to further exploit a network…with knowledge of the physical location and physical access, and even then there would have to be poor network security to be successful.

Data leaks suck, but inevitable in our current world. People in “cybersecurity” really need to educate themselves more around risk analysis and less around the buzzword bingo and their eagerness to share and comment on cybersecurity news. Even when a vulnerability exists in a manufacturers code, 90% of successful exploits of it are due to misconfiguration of the owner.

it would be nice if there was a place like haveibeenpwnd to check if my setup has been compromised.

Yeah it doesn’t make any sense… I think some people might not realize that they are doing it? Worst case, at least limit it to a controlled IP or something, which I think in these cases with Fortinet also keeps one on the safe side of the line (I could be wrong?)

I think what most of these conversations miss is that this is literally the public VPN interface. If you buy this for the purpose of offering a VPN service for remote users you cannot reasonably then decide to restrict it to specific IP addresses.

We use WatchGuard but have the external admin only accessible from our office IPs for remote management and monitoring as an MSP. But yeah you should never open up anything to the entire internet at large unless it’s a DMZ’d public webserver/on premise Exchange email. Anything else should be internal only and require a VPN/ZTNA/SASE for connection to intranet things

Probably more secure if you don’t expose the admin interface

Nah, blaming admins is part of the answer. If this vulnerability completely relies on the admin interface being exposed, then most of the blame is on them. The only admin interface that can reasonably be exposed on the WAN is a well configured ssh service. If an admin can’t figure that out they need a new line of work.

Yeah sorry this philosophy wouldn’t cut it for any of the IT or cybersec employers I’ve worked for. You own your network…that’s like saying Toyota is responsible for items stolen from your car because you left it unlocked.

We did this with sophos for a long time. Just a single IP in Azure we could spin up if the Sophos portal was down (or just taking a very slow shit…)

I think the problem is that fortinet made the design decision to make local-in rules only configurable on the CLI. So it’s very easy to push a toggle to allow management from the WAN, but much harder, relatively speaking, to IP ACL it, and there is no real visual prompt in the UI to make you think about IP ACLs for management.

The SSL VPN interface is different from the admin interface. If Fortinet doesn’t support allowing one and blocking the other from the full Internet, then it’s even a worse pile of shit I thought it was.

What are you referring to? The topic here is exposing the management interface, which is definitely not the same as exposing the sslvpn login page.