FortiBleed: The 86,000-Device Wake-Up Call on Default Credentials Your Clients Still Haven't Rotated

Roughly 86,000 internet-facing FortiGate appliances were caught up in a recent wave of compromise. That's not a typo, and it's not a niche problem affecting a handful of unlucky organisations. Tens of thousands of firewalls — the very devices meant to keep attackers out — were sitting exposed and ready to be walked into.

Here's the part that should sting: the attackers didn't need a brilliant new exploit. No mysterious memory-corruption bug discovered in a basement. The campaign, which security researchers nicknamed "FortiBleed" and which CISA has tracked under its own naming, leaned heavily on something far more mundane — default and built-in credentials that nobody had bothered to change.

If you manage IT for a business, or you're an MSP looking after a stack of client networks, this is worth sitting with for a moment. The thing that compromised 86,000 firewalls is the same thing you've been meaning to tidy up for the last eighteen months.

What actually happened

FortiGate firewalls ship with default administrative accounts and, in some cases, built-in service accounts that exist for legitimate management and maintenance reasons. On a fresh install these accounts are there by design. The expectation is that whoever sets the device up will rotate the credentials, lock down management access, and not leave the admin interface hanging off the public internet.

That expectation, it turns out, is wildly optimistic.

Attackers ran broad scans of the internet looking for FortiGate management interfaces. When they found one, they tried known default credentials and well-documented built-in accounts. A depressing number of times, it worked. Once inside, they had administrative control of the firewall — which means they could read configurations, harvest VPN credentials, alter firewall rules, create their own accounts, and pivot deeper into whatever network sat behind the device.

A compromised firewall is about the worst foothold you can hand an attacker. It sees all the traffic. It often holds the keys to the VPN. And because it's a trusted security appliance, defenders rarely think to check it first.

The uncomfortable truth about how breaches really happen

There's a tendency in security marketing to talk about threats as though every attacker is a state-sponsored genius armed with a zero-day nobody has ever seen. It makes for dramatic reading. It also quietly lets everyone off the hook, because if the threat is impossibly advanced, then surely no reasonable amount of basic hygiene could have stopped it.

The reality is far more boring and far more fixable. The overwhelming majority of intrusions we see — and that the wider industry reports year after year — come down to a small set of preventable failures: stolen or default credentials, unpatched known vulnerabilities, exposed services that shouldn't be on the internet, and missing multi-factor authentication.

FortiBleed is a textbook case. It wasn't sophisticated. It was opportunistic. The attackers cast a wide net and let neglect do the heavy lifting. Every single one of those 86,000 devices could have been protected by tasks that take minutes and cost nothing.

Why this keeps happening

Nobody sets out to leave a firewall with factory credentials on the public internet. It happens for ordinary, human reasons.

A device gets deployed in a hurry to meet a deadline. The engineer means to come back and harden it later. Later never arrives. A business inherits kit from a previous provider and has no documentation of what was configured. A device gets replaced under warranty and the swap-in is brought up quickly to restore service, with the intention of tightening it up — same story.

Then there's the simple problem of visibility. If you don't have an accurate inventory of every edge device across your estate or your clients' estates, you can't audit what you don't know exists. The firewall in the back office of a satellite site, installed three years ago by someone who has since left, is exactly the kind of device that quietly retains its default settings forever.

MSPs are not immune to this. In fact, the more devices you manage, the easier it is for one to slip through. Scale magnifies small process gaps.

The boring fundamentals beat the exotic threats

We say this to clients constantly, and FortiBleed proves it again: the unglamorous basics protect you against more real-world attacks than any single shiny tool. Renaming default accounts, rotating factory credentials, getting management interfaces off the public internet, and keeping firmware current would have neutralised this entire campaign.

This isn't about buying more. It's about doing the dull, repeatable things consistently. The work that doesn't make headlines is precisely the work that keeps you out of them.

A remediation checklist you can act on today

If you manage FortiGate appliances — or honestly, any edge device — here is a concrete list to work through. Most of it applies to firewalls from any vendor, not just Fortinet.

1. Find every device first

• Build or refresh your inventory of all edge appliances: firewalls, VPN concentrators, routers, NAS boxes, anything with a management interface.
• Note the model, firmware version, location, and who is responsible for it.
• Don't trust the inventory you think you have. Verify it with active scanning of your IP ranges.

2. Get management interfaces off the internet

• Check whether any device exposes its admin or management interface to the public internet. It shouldn't.
• Restrict management access to a trusted internal network or a dedicated management VLAN.
• Where remote management is genuinely required, put it behind a VPN with MFA, not directly exposed.

3. Rotate and rename credentials

• Change every default administrative password immediately. Use long, unique, randomly generated passwords stored in a proper password manager.
• Where the platform allows it, rename or disable default account names rather than just changing their passwords.
• Audit for built-in or service accounts you didn't create or don't recognise, and remove any that aren't needed.
• Look specifically for unexpected admin accounts — attackers create their own once inside.

4. Turn on multi-factor authentication

• Enable MFA for all administrative access. A stolen or guessed password becomes far less useful when a second factor is required.
• Apply the same standard to VPN access for end users.

5. Patch and update

• Bring firmware up to current, supported versions across every device.
• Subscribe to vendor security advisories so you hear about issues early, not from a breach.
• Retire any appliance that is end-of-life and no longer receiving security updates.

6. Check for signs you're already compromised

• Review configurations for unauthorised changes: new accounts, altered firewall rules, unfamiliar VPN settings.
• Examine logs for logins from unexpected locations or at unusual times.
• If a device used default credentials while exposed, assume it may have been touched. Reset credentials, rebuild from a known-good config where appropriate, and rotate any secrets it held.

7. Make it a routine, not a one-off

• Schedule regular audits of edge devices rather than treating this as a single clean-up.
• Bake credential rotation and hardening into your standard deployment process so no new device goes live with factory settings.
• Document everything so the next person doesn't inherit a black box.

The takeaway

FortiBleed isn't a story about clever hackers. It's a story about 86,000 chances to do the basics that were quietly missed. The attackers simply showed up and tried the front door, and far too often it opened.

You don't need a bigger budget or a cleverer tool to avoid being the next number in a headline like this. You need an accurate inventory, a habit of rotating credentials, management interfaces kept off the open internet, and the discipline to keep doing it. Boring, yes. Effective, absolutely.

If you're not confident every edge device across your estate has had its defaults rotated and its management locked down, that uncertainty is the problem. We help Nottingham and Midlands businesses audit their firewalls, find the forgotten kit, and close exactly these gaps before someone else finds them first. Get in touch and we'll start with the inventory.