Cambridge Cyber InternationalCambridge CyberInternati
nal

DORA · NIS2 · ISO/IEC 27001

The bleeding edge: when 75,000 firewalls became the open door

The device whose entire job is to keep intruders out became the way in. FortiBleed handed attackers verified credentials to ~73,932 Fortinet firewalls, half the internet-facing fleet, without a single new vulnerability. The exploit was patience.

2026-06-20 · CCI Editorial · 6 min

On 17 June 2026 a credential dataset went public that should not have surprised anyone, and alarmed everyone. Researcher Volodymyr "Bob" Diachenko found an internet-exposed server holding usernames, e-mail addresses and plaintext passwords for tens of thousands of Fortinet FortiGate firewalls. Kevin Beaumont obtained the set, worked it through with Hudson Rock, and confirmed the part nobody wanted confirmed: the credentials were valid. The campaign was named FortiBleed.

The numbers are the story. 73,932 unique FortiGate URLs across 194 countries, tied to 21,632 domains, which by Shodan polling is roughly half of every Fortinet firewall currently facing the public internet. The exposed organisations are not amateurs: Foxconn, Samsung, Comcast, Siemens, Lenovo, FedEx, Accenture, Oracle, PwC, plus government agencies and critical-infrastructure operators. At least four organisations were fully compromised, in Japan, Taiwan, Vietnam, Iraq and Turkey, with attackers pivoting machine to machine inside the network. The worst case is a Turkish NATO defence subcontractor from which classified documents were exfiltrated. The activity is attributed to a multi-operator Russian-speaking criminal group.

The irony writes itself. The firewall, the one appliance whose entire purpose is to hold intruders at the perimeter, became the perimeter's open door.

What actually happened, technically

There is no new vulnerability here, and that matters. The harvesting traces back to CVE-2022-40684, the FortiOS authentication-bypass that Fortinet patched in October 2022 and that was mass-exploited before most organisations applied the fix. Credentials scraped during that 2022 wave have circulated in private criminal forums ever since. FortiBleed is that stock, refreshed: the operators intercepted SSL-VPN authentication, recovered password hashes, and cracked them on a 45-GPU cluster orchestrated with Hashtopolis. They then replayed the recovered passwords against live devices, logging 1.16 billion login attempts against 320,000 FortiGate appliances and 2.1 billion more in parallel against 160,000 Microsoft SQL servers, and walked the valid ones through to Active Directory, the directory that governs every Windows account in the organisation.

Fortinet's response is technically correct and strategically beside the point. The company characterises FortiBleed as recycled data from past incidents plus brute force, not a fresh flaw in its products. True. But the appliances are still online, and a recycled password opens a real door for exactly as long as nobody changes it. In a large estate, rotating every VPN and administrator credential is not a finger-snap, which is the whole reason the attackers bet on it still working. They were right.

Which frameworks govern this, and what they demand

This is not a niche technical footnote; it sits squarely inside three regimes the affected organisations already answer to.

The EU Digital Operational Resilience Act (DORA) binds financial entities. Its ICT risk-management pillar (Articles 5 to 15) requires strong authentication and access control on remote entry points (Article 9) and a tested, evidenced incident-response capability (Article 11). DORA does not accept "we patched the 2022 CVE" as resilience; it asks whether the residual exposure was identified, quantified and governed. The Network and Information Security Directive 2 (NIS2) covers a far wider population, including energy, transport, manufacturing, digital infrastructure and public administration, and its Article 21 explicitly names multi-factor authentication, access control and asset management as baseline measures, with management bodies personally accountable under Article 20. ISO/IEC 27001:2022 frames the same controls as Annex A obligations: A.5.17 (authentication information), A.8.5 (secure authentication), A.5.15 (access control) and A.8.9 (configuration management). For the NATO defence subcontractor, a fourth layer applies: defence supply-chain security obligations under which exfiltration of classified material is a reportable, sovereignty-level event, not merely a commercial breach.

Which controls failed

Strip away the headline scale and FortiBleed is a short list of switches left in the OFF position. Remote-access multi-factor authentication was absent or incomplete, and it is the single control that renders a stolen password inert, the one whose presence separates a non-event from a breach. Credential rotation never fired after the 2022 compromise, so passwords leaked four years ago still authenticated in June 2026. Patch and configuration hygiene lagged the original CVE-2022-40684 window long enough for the harvest to succeed. Network segmentation between the VPN edge and the Active Directory core was thin or absent, turning a single compromised appliance into domain-wide lateral movement. And underlying all of it, asset visibility failed: organisations did not have an authoritative, current view of which of their FortiGate appliances were internet-facing, on which firmware, with which accounts and which authentication posture. You cannot rotate, segment or enforce MFA on an exposure you cannot see.

What CCI's tools would have changed

None of the four controls above required a new product category. They required the exposure to be continuously seen, priced and proven, which is precisely the gap CCI's instruments close.

EviGen would have answered the only question that matters before the attackers asked it: is MFA enforced on every SSL-VPN and administrator account, on every appliance, right now? EviGen collects that configuration evidence automatically across the estate and packages it framework-aware as the DORA Article 9, NIS2 Article 21 and ISO A.8.5 artefact, generated continuously rather than reconstructed in a panic. A gap in MFA coverage becomes a dated, signed finding the week it opens, not a forensic discovery after exfiltration.

NetDiagramer would have drawn the path the attackers actually walked. It maps firewall zones and cross-layer dependencies from live inventory, surfacing every internet-facing FortiGate and, critically, the route from the SSL-VPN edge into the Active Directory core. The flat edge-to-domain adjacency that made four organisations fully compromisable is exactly what an automatically generated DORA Article 8 and NIS2 Article 21 topology exposes as a finding rather than a post-mortem diagram.

cVaR would have turned "old credentials, probably fine" into a board-grade number. Applying FAIR and Monte-Carlo simulation across the asset inventory, it prices the scenario "internet-facing VPN credential is replayed and pivots to AD" as a loss-exceedance curve in euros. A residual exposure that reads as a vague worry in a risk register reads as conditional value-at-risk on a cVaR dashboard, and residual euros get rotated where residual worries get deferred.

DORA-MAST would have made it a tested scenario rather than a surprise. It runs the disruption, credential reuse on the remote-access perimeter, against the model, computes the resilience impact, and evidences the test under DORA's Article 24 to 31 testing programme, including the third-party concentration risk of betting the entire perimeter on a single appliance vendor.

Predict the exposure, price it, prove the control, rehearse the failure. The 2022 wound was knowable. The leaked credentials were knowable. The MFA gap was knowable. FortiBleed did not exploit a vulnerability in Fortinet's code. It exploited the distance between a control an organisation owned and a control an organisation could prove was switched on. Close that distance and the recycled password opens nothing.

If your domain is already on the list: getting help fast

The tools above describe a posture an organisation builds before an incident. FortiBleed, for many of the 21,632 exposed domains, is not a future risk but a present one, and the honest question is what to do this week. Two distinct CCI capabilities apply, and it is worth being precise about which does what.

The first is leadership under pressure. CCI's CISO-as-a-Service draws on a pool of eight or more CISSP-certified practitioners with deliberately non-overlapping backgrounds across banking, defence, telecoms and energy. For an organisation that has just discovered its credentials in the FortiBleed set, the relevant mode is interim or on-call cover: an accountable security leader who can triage the exposure, brief a board, and answer a regulator's Article 11 (DORA) or Article 23 (NIS2) questions while the internal team executes the rotation. We do not audit where we lead, so that independence is preserved by design.

The second is engineering speed. The people who built EviGen, NetDiagramer, cVaR and DORA-MAST are not a separate vendor; they are an in-house research and development team of academics, doctoral-level researchers and security engineers. That matters operationally because the FortiBleed remediation is, at scale, a tooling problem: cross-checking an organisation's full FortiGate fleet against the published exposed-domain list, forcing credential rotation across hundreds of appliances, and then proving multi-factor authentication is enforced on every remaining account. This is precisely the kind of bespoke redress instrument the same engineers can stand up quickly, because the underlying primitives, including inventory ingestion, configuration evidence collection and topology mapping, already exist as shipped products rather than slideware. The honest framing is capability, not a contractual stopwatch: the team that productised these primitives can compose them into a targeted remediation tool far faster than a team meeting the problem for the first time. If FortiBleed has reached your estate, the fastest route to a scoped response is to talk to a practitioner.

The wound that never closed

The hornet does not change; the colony does. The credentials Fortinet's customers lost in 2022 were never going to expire on their own, because passwords do not heal. What changed, for the half of the fleet still exposed, is nothing: same appliances, same passwords, same flat path to the domain. The fix is unglamorous and entirely within reach. Enforce MFA, rotate now, segment the edge from the core, and keep continuous evidence that all three are true. The attackers are betting you will read this, nod, and defer it to next quarter. They have a four-year track record of being right about that.

Acronyms

Acronym Expansion
AD Active Directory
CVE Common Vulnerabilities and Exposures
CVSS Common Vulnerability Scoring System
DORA Digital Operational Resilience Act
FAIR Factor Analysis of Information Risk
GPU Graphics Processing Unit
ICT Information and Communication Technology
MFA Multi-Factor Authentication
NIS2 Network and Information Security Directive 2
SSL-VPN Secure Sockets Layer Virtual Private Network

References

Fortinet is right that there was no new vulnerability. That is precisely the indictment: every control that should have closed this gap was a control the victims already owned and never switched on.

The CCI angle

Solutions referenced: EviGen · NetDiagramer · cVaR · DORA-MAST. See all products · talk to a practitioner.

← All analyses