Summary

• The UK NCSC has urged organisations using Fortinet services to investigate possible exposure after global targeting of firewalls and VPN gateways.
• The campaign involves leaked credentials after brute force, dictionary, and credential stuffing attempts against internet facing FortiGate and VPN portals.
• The incident highlights the business risk created by exposed edge devices, reused credentials, remote access, and incomplete asset visibility.

The UK National Cyber Security Centre has urged organisations using Fortinet services to take action after a global campaign targeted firewalls and VPN gateways, with some indications of potential UK impact.

The NCSC said a database of credentials had been leaked by a threat actor following brute force, dictionary, and credential stuffing attempts against internet facing FortiGate and VPN portals. It advised organisations using affected products to investigate whether they have been impacted and to follow mitigation guidance quickly.

The alert is focused on a class of infrastructure that often receives less board attention than ransomware negotiations or cloud breaches, but sits at the edge of business operations. Firewalls and VPN gateways control access between external networks, remote workers, suppliers, and internal systems. If attackers compromise that layer, they may gain a route into systems that were never intended to face the internet directly.

Fortinet has published its own analysis of the reported credential compromise, saying it is aware of claims that malicious actors have targeted Fortinet devices in a campaign referred to as FortiBleed. The company has said the activity relates to credential harvesting and data from previous incidents rather than a newly disclosed vulnerability.

Credential risk is infrastructure risk

The NCSC’s advice is deliberately operational. UK organisations using Fortinet edge devices with SSL VPN enabled should investigate potentially malicious activity, monitor for unusual behaviour, and check whether domains may have been affected using asset checking services. Where evidence of compromise exists, the NCSC recommends isolating the device from both the internet and the internal network.

The guidance also warns that changing credentials alone may not be enough if attackers have gained persistence. In those circumstances, organisations may need to factory reset devices, preserve useful logs and configuration artefacts first, investigate other edge devices that share credentials, and look for onward compromise inside the network.

That turns a password incident into a broader resilience problem. VPN and firewall credentials are not ordinary application logins. They can provide a foothold for lateral movement, privilege escalation, data theft, and ransomware deployment. Reused administrator passwords, internet exposed management interfaces, unsupported systems, and weak multi-factor authentication can all turn perimeter equipment into a business-wide failure point.

The Fortinet campaign also underlines the limits of relying on patch management alone. Keeping software up to date remains essential, but credential stuffing and brute force activity exploit identity and configuration weaknesses as much as software flaws. Security teams need accurate asset inventories, log visibility, strong authentication, password rotation, and tested incident response processes for edge infrastructure.

Edge devices remain attractive targets

Attackers continue to target VPNs, firewalls, remote management systems, and other edge devices because they are exposed, privileged, and often difficult to monitor well. Many organisations have improved endpoint security and cloud controls while leaving network appliances managed through separate processes, outsourced arrangements, or legacy administration habits.

The operational burden is also high. A large organisation may have appliances across offices, datacentres, branch networks, operational technology environments, and acquired businesses. Some devices may be known to central security teams; others may sit in local networks or supplier managed environments. When a campaign hits at global scale, asset visibility becomes the first control.

The NCSC’s inclusion of public sector, large organisation, SME, and cyber professional audiences reflects the breadth of exposure. Fortinet products are used across different sectors and organisation sizes. Even where a company is not directly listed in leaked material, shared credentials, inherited configurations, or unmanaged internet facing services can create risk.

The alert should not be treated as a Fortinet-only issue. Remote access infrastructure is now part of core operational resilience. Organisations need to know which edge devices they run, who manages them, whether management interfaces are exposed, whether multi-factor authentication is enforced, and how quickly they can isolate and rebuild compromised systems. Perimeter security has not disappeared in the cloud era. It has become one of the places where identity, infrastructure, and incident response meet.