Summary
- Fortinet said it was aware of a credential-harvesting campaign targeting its firewall and VPN devices.
- The company said the activity used data from previous incidents and was not tied to a recent incident or advisory.
- The campaign points to persistent exposure around edge devices, reused credentials, VPN access, and delayed remediation after older compromises.
Fortinet says it is aware of a credential-harvesting campaign targeting its firewall and VPN devices, renewing attention on exposed edge infrastructure and older access data that can remain useful to attackers.
Reuters reported that Fortinet described the activity as a campaign in which attackers were using data from previous incidents and attempting to brute-force credentials. The company said the activity was not related to any recent incident or advisory.
A live campaign does not always require a new vulnerability. Attackers can work from older credential sets, historical incident data, exposed management services, weak passwords, shared administrator accounts, and access paths that were never fully closed. Firewalls and VPN appliances remain attractive because they sit between the internet and internal networks, and successful access can provide a direct route into high-value environments.
Fortinet has not publicly identified affected organisations, confirmed victim numbers, or said how many targeted credentials remain valid. The known facts point to credential harvesting and brute-forcing against devices that are already operationally sensitive. The broader exposure depends on whether organisations fully rotated credentials, reviewed administrative accounts, restricted remote management, and investigated authentication activity tied to older incidents.
Breach response does not end when a vulnerability is patched or a public advisory fades from view. Credentials can persist in attacker collections for months or years. Access brokers can test old data against live infrastructure. A password that should have been rotated, an administrative account that should have been disabled, or a VPN profile that should have been retired can become a path back into an organisation long after the original event.
Edge device risk has been a recurring feature of ransomware, espionage, and supplier compromise across UK and European organisations. Firewalls, VPNs, secure gateways, and remote access appliances are often maintained by central IT teams, managed providers, or network specialists. That split in ownership can slow response when threat activity shifts from vulnerability exploitation to credential misuse.
The control task is to prove that old access no longer works. Organisations using affected technologies should confirm that exposed credentials have been invalidated, administrative access is protected with strong multifactor authentication, management interfaces are restricted, logs are retained and reviewed, and legacy remote access routes are not still trusted by default.
Credential campaigns also expose weaknesses in identity governance. Network edge appliances are sometimes treated as infrastructure assets rather than identity systems, yet they enforce some of the most important access decisions in the business. If privileged accounts on those systems are shared, unmanaged, or poorly monitored, the organisation’s identity controls are weaker than its policy suggests.
Third-party access adds another layer. Managed service providers and outsourced network administrators may hold access across multiple customer environments. A credential set connected to one provider or support account can create exposure across several organisations if access is not segmented, monitored, and regularly reviewed.
The Fortinet campaign should not be treated as a new zero-day story without evidence. Its significance is narrower and more operational: attackers can recycle old material against critical access points, and organisations can remain exposed after the original incident has passed. A valid credential on an edge device can still look like legitimate access until monitoring, investigation, and governance prove otherwise.





