Decoding the world of cybersecurity

Fortinet exposure keeps edge risk in focus

The NCSC has urged UK organisations using Fortinet firewalls and VPN gateways to investigate potential compromise after a global credential targeting campaign.

Fortinet exposure keeps edge risk in focus
Summary
  • The NCSC says Fortinet firewalls and VPN gateways have been targeted globally, with indications of potential UK impact.
  • A leaked credential database followed brute-force, dictionary, and credential stuffing attempts against internet-facing FortiGate and VPN portals.
  • Fortinet says the activity is not a new vulnerability and recommends credential resets, MFA, updates, configuration checks, and reduced exposed management access.

Fortinet firewall and VPN customers remain under pressure after the UK’s National Cyber Security Centre warned that a global campaign targeting Fortinet edge devices may have affected organisations in the UK.

The NCSC says Fortinet firewalls and VPN gateways have been targeted globally, with a database of credentials leaked by a threat actor after brute-force, dictionary, and credential stuffing attempts against internet-facing FortiGate and VPN portals. UK organisations using Fortinet edge devices with SSL VPN enabled have been urged to investigate potentially malicious activity and monitor networks for unusual behaviour.

The NCSC advice tells organisations to check whether affected domains appear in FortiBleed asset checkers, confirm whether devices belong to them, look for indicators of compromise such as unauthorised account creation or unexpected log activity, and isolate devices if compromise is found. It also says changing credentials alone may not be enough if attackers have established persistence.

Fortinet has published its own analysis, saying the activity involves malicious actors reusing credentials from previous incidents and using brute-force techniques against devices with weak password hygiene and no multi-factor authentication. The company says the activity is not a new Fortinet vulnerability and is not linked to a recent incident or advisory.

The immediate actions are familiar but demanding: terminate active administrator and VPN sessions, reset VPN and administrator passwords, enforce multi-factor authentication on administrator and VPN accounts, update to supported versions, review configuration for unauthorised changes, check logs, reduce exposed management access, and monitor directory services where AD or LDAP integration is configured.

The wider risk is not limited to one vendor. Edge devices sit between public networks and internal systems, often holding privileged access paths, VPN accounts, management interfaces, and integrations with identity infrastructure. When valid credentials are exposed or guessed, attackers can bypass many assumptions built into perimeter security. The compromise may look like legitimate access until logs, configuration changes, or lateral movement reveal otherwise.

The NCSC’s emphasis on investigation as well as reset reflects that problem. A password rotation may close one route, but it does not prove an attacker failed to create accounts, change device configuration, capture additional credentials, or move into systems reachable from the VPN. Shared administrative credentials across multiple edge systems can also spread risk beyond a single compromised appliance.

The episode reinforces the limits of treating multi-factor authentication as a narrow compliance control. MFA needs to cover administrator and VPN accounts, be enforced consistently, and sit alongside hardened management access, reduced internet exposure, secure configuration, asset ownership records, and logging that can support post-compromise investigation.

Public-sector and regulated organisations need assurance over whether affected Fortinet assets exist, whether they are internet-facing, which identities have access, whether logs are sufficient, whether unusual activity occurred, and whether suppliers or managed service providers hold relevant credentials. Those answers require coordination between network, identity, security operations, procurement, and supplier management functions.

Fortinet’s statement that this is not a new vulnerability does not reduce the operational burden. Credential exposure, brute forcing, and weak remote access hygiene can create serious risk when the affected systems control entry into internal networks. The defensive task is to prove control over edge infrastructure, not simply to decide whether a CVE exists.

×