Your Firewall’s Passwords Leaked. Patching Won’t Fix It
86,644 firewalls in 194 countries had admin credentials cracked, and the ransomware phase is starting now. Here is what your business must do this week, in plain terms.
In mid-June, security researchers confirmed one of the largest credential-theft campaigns ever recorded against network security devices. The operation, now called FortiBleed, harvested working administrator credentials from 86,644 Fortinet FortiGate firewalls across 194 countries, roughly half of all internet-facing Fortinet firewalls in the world. The victim list includes names like Samsung, Siemens, Oracle, and Accenture, but the quiet majority of exposed devices sit in front of small and mid-sized businesses, usually installed by an IT provider years ago and rarely thought about since.

If your business runs a FortiGate firewall, or you are not sure whether it does, this issue is for you. And if you read only one section, read the third one, because it explains why the obvious fix does not actually fix this.
What happened, in plain terms
A firewall is the locked front door of your network. FortiBleed was not a break-in through that door. It was a copy of the keys.
Attackers exploited known weaknesses in Fortinet devices to pull configuration data, then ran an industrial-scale password cracking operation offline. The campaign targeted more than 430,000 devices, planted traffic sniffers on roughly 19,000 of them, and successfully cracked administrator passwords for the 86,644 devices now confirmed exposed. The technical root cause: older FortiOS versions stored admin passwords using a legacy hashing method (SHA-256) that modern cracking rigs chew through. Fortinet fixed this by moving to a far stronger method (PBKDF2) in newer FortiOS releases, but, and this is the part that matters, the fix only takes effect for each administrator account after that admin logs in again following the upgrade.
Translation for the non-technical reader: even a fully patched firewall can still be carrying crackable, already-stolen passwords.
Why this lands on SMBs harder than enterprises
Three reasons.
First, Fortinet is the default firewall brand for the SMB and mid-market segment, often deployed and managed by a managed service provider (MSP). You may own one without ever having logged into it.
Second, enterprises have teams that rotated credentials the week this broke. SMBs mostly did not, because nobody told them. The exposure gap between large and small organizations is widening every day this campaign ages.
Third, the follow-on phase has started. Researchers have linked the FortiBleed credential set to the Lynx and INC ransomware operations, and based on comparable leaks they expect ransomware deployment attempts against the most valuable targets in the dataset through July and August. Stolen credentials age like inventory: the operators are now working through the list. Being smaller does not take you off it. It just moves you to a different sales tier.
The uncomfortable truth: patching does not close this
This is the strategic lesson of FortiBleed, and it applies well beyond Fortinet.
A software patch closes the hole the attacker used to get in. It does nothing about what the attacker already took. A validated credential database gives attackers a login window that survives every future update, because a stolen password stays valid until someone deliberately changes it.
So an organization that patched every Fortinet CVE this week, but did not rotate credentials, is still exposed. The patch window is bounded. The credential window stays open until you close it yourself.
What to do this week (or ask your IT provider)
If you have internal IT or an MSP, forward them this list and ask for written confirmation on each item. This is a half-day of work, not a project.


