Decoding the world of cybersecurity

NCSC warns on Fortinet VPN exposure

UK organisations using Fortinet SSL VPNs have been urged to investigate after leaked credentials were linked to targeting of internet-facing firewalls and gateways.

NCSC warns on Fortinet VPN exposure
Summary
  • The NCSC says Fortinet firewalls and VPN gateways have been targeted globally, with indications of possible UK impact.
  • A leaked credential database is linked to brute force, dictionary, and credential stuffing attempts against internet-facing FortiGate and VPN portals.
  • Exposed edge devices, reused credentials, unsupported systems, and remote access paths create operational risk beyond a routine password reset.

The National Cyber Security Centre has urged UK organisations using Fortinet edge devices to investigate possible exposure after a global campaign targeted firewalls and VPN gateways.

The UK agency said Fortinet firewalls and VPN gateways had been targeted as part of a global campaign, with some indications of potential impact in the UK. It said a database of credentials had been leaked by a threat actor following brute force, dictionary, and credential stuffing attempts against internet-facing FortiGate and VPN portals.

The NCSC’s advice is directed at organisations using Fortinet services, particularly UK organisations with Fortinet edge devices and SSL VPN enabled. The agency said affected organisations should investigate potentially malicious activity on devices and monitor their networks for unusual behaviour. It also pointed organisations to Hudson Rock’s FortiBleed Checker as a way to assess whether domains may be affected.

The advisory does not name affected UK organisations, quantify UK exposure, or say that operational disruption has occurred. Its significance comes from the systems involved. Firewalls and VPN gateways sit at the edge of enterprise networks, often providing a route into internal services for employees, suppliers, administrators, and remote operations. When those systems are targeted with valid or reused credentials, the security boundary depends on identity hygiene, monitoring, and configuration discipline.

Credential stuffing remains effective because of reused passwords, exposed remote access portals, legacy accounts, weak monitoring, and inconsistent use of multi-factor authentication. In a VPN environment, a valid login may be harder to distinguish from ordinary user activity than exploit traffic. If segmentation and access governance are weak, a compromised remote access account can become a route into internal systems.

The Fortinet alert also reflects sustained attacker interest in edge infrastructure. Firewalls, VPN appliances, remote access systems, and secure gateways are exposed, trusted, and often difficult to patch or replace quickly. They can also sit outside normal endpoint and cloud control planes, creating gaps in logging, asset ownership, and vulnerability response.

UK organisations should treat the NCSC guidance as an exposure management task. The priority is to identify whether SSL VPN is enabled, confirm whether affected credentials are present, rotate passwords where necessary, enforce multi-factor authentication, and review logs for suspicious authentication patterns. Unsupported systems should be removed, replaced, or isolated rather than retained as long-running exceptions.

Many organisations maintain remote access paths for employees, outsourced IT, industrial support, contractors, and emergency administration. Those paths often expand over time as suppliers change, projects close, and systems are inherited. Unless ownership is clear, old accounts and legacy portals can remain active after the business process that justified them has changed. A credential leak then becomes a test of identity lifecycle management, supplier access, and perimeter inventory.

Regulated sectors and operators of essential services should also review whether incident response playbooks are realistic for edge-device compromise. Resetting passwords is only one part of the response. Teams need to preserve logs, assess lateral movement, validate device integrity, and decide whether appliances can be trusted after suspected misuse. Where remote access supports operational technology, response actions must be coordinated to avoid disrupting production or safety systems.

The NCSC has not presented the campaign as a confirmed UK-wide incident. It has identified enough potential UK exposure to justify immediate checking across Fortinet SSL VPN estates, especially where remote access remains a critical dependency for operations and suppliers.

×