Soft ComputersBook a free IT assessmentBook assessment

FortiBleed: Why Your Firewall Login Could Be Compromised

Cybersecurity5 min readBy the Soft Computers Team

FortiBleed: Why Your Firewall Login Could Be Compromised

If your business uses a Fortinet firewall or a FortiGate VPN to let staff work from home, you need to read this. A leak called FortiBleed has put more than 86,000 working firewall logins out in the open. That is not a typo. These are live administrator credentials pulled from internet-facing Fortinet devices in 194 countries, and Canada is on that list.

The U.S. cyber agency CISA put out a warning about it on June 18. When a government body tells everyone to change passwords right now, it is worth paying attention, even for a small shop in Ontario.

What actually happened

Attackers grabbed configuration files from Fortinet devices that were exposed to the internet. Those files held stored passwords. The older way Fortinet saved those passwords was weak enough that the attackers could crack them and get plain admin logins. The result is a verified list of 30,000 to 75,000 devices with working credentials.

Here is why this matters more than a normal breach. Your firewall is the front door to your whole network. If someone has the admin login to that door, they do not need to break a window. They walk in. From there they can reach your files, your email, and the Windows accounts your team logs into every day.

Why small businesses are the easy target

Big companies have security teams that rotate passwords and watch for this kind of thing. A 12-person accounting firm or a small manufacturer usually does not. The firewall got set up once, years ago, and nobody has touched it since.

That is the problem. A lot of the compromised accounts were default names that were never changed and passwords that were never rotated. The device kept doing its job, so nobody thought about it. Attackers count on exactly that.

Signs you could be exposed

  • You have a Fortinet or FortiGate firewall and you cannot remember the last time its password changed.
  • Staff connect to the office through a FortiGate SSL VPN from home.
  • The firewall admin page can be reached from the public internet.
  • You are not using multi-factor login on the VPN or the admin panel.

If two or more of those sound like you, treat this as urgent.

What to do this week

CISA laid out clear steps, and they apply to a business of any size. You do not need to understand the deep technical side to know these need to happen.

  1. End all active VPN and admin sessions on the device. This kicks out anyone who may already be connected.
  2. Reset every Fortinet VPN and administrator password, especially on anything facing the internet.
  3. Turn on multi-factor login for the VPN and the admin panel, so a stolen password alone is not enough.
  4. Make sure the device stores passwords with the stronger PBKDF2 method, not the old format.
  5. Stop exposing the admin page to the public internet if there is no reason for it to be.

If reading that list made you unsure where to even start, that is normal. Firewall settings are not something most business owners should have to learn on a Saturday.

The bigger lesson here

FortiBleed is not really about Fortinet. It is about the gear that runs quietly in the background and never gets a second look. Firewalls, VPNs, routers, and switches all need updates and password changes, the same as the laptops on people's desks. When that maintenance stops, these devices turn into open doors.

This is the part of IT that managed support is built for. At Soft Computers we keep an inventory of the network gear our clients run, watch for warnings like this one, and apply the fix before it becomes a breach. Our cybersecurity work covers the same ground: checking what is exposed to the internet, locking down admin access, and setting up multi-factor login so one cracked password does not hand over the whole network.

You do not need to live in fear of every headline. You do need someone keeping an eye on the equipment that protects your business, so a leak announced on a Thursday does not become your problem on a Friday.

If you run Fortinet gear and you are not sure it is locked down, reach out. A short check now is a lot cheaper than cleaning up after someone walks through your front door.

Want this level of attention on your IT?

We publish what we practice. Book a free assessment and see where your environment stands: what is solid, what is aging, and what is at risk.