Fortinet Firewall Hack Hits 73,000 Devices Worldwide in 2026 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

Cybercriminals allegedly broke into tens of thousands of Fortinet firewalls and VPN gateways used by major companies around the world, turning one of business cybersecurity’s most trusted front doors into the story itself.

Security researchers have called the campaign FortiBleed. Fortinet, however, says the activity does not come from a new vulnerability or recent security advisory. That difference matters, because this story isn’t only about a hack. It’s about companies leaving sensitive systems exposed with old, reused, or weak credentials.

FortiBleed puts Fortinet firewalls under global pressure

A firewall is supposed to act like the security gate outside a company’s network. It checks who can come in, what traffic can pass, and which systems stay hidden from the open internet.

That’s why this case feels so serious. TechCrunch reported that cybercriminals allegedly compromised Fortinet firewalls and VPNs used by major companies worldwide, based on findings from Hudson Rock and SOCRadar. Researchers say the attackers scanned the internet for exposed Fortinet systems, then used known or cracked credentials to break in.

Recorded Future says the dataset allegedly includes valid administrative and VPN credentials for around 73,932 FortiGate firewall URLs across 194 countries. The firm also says affected organisations include government, telecoms, finance, healthcare, manufacturing, and critical infrastructure.

That’s the nightmare version of “password reuse.”

Fortinet says this is not a new vulnerability

Fortinet is pushing back on the idea that FortiBleed comes from a new flaw in its products. In its June 19 analysis, the company said the activity involves threat actors reusing credentials from previous incidents and using brute-force attacks against devices with weak password hygiene and no multi-factor authentication.

In plain language: attackers may not have needed a shiny new exploit. They could simply try old keys until one still opened the door.

Fortinet also said it has identified potentially compromised systems and is contacting impacted customers. Its guidance is practical: terminate active admin and VPN sessions, reset credentials, enable MFA, upgrade to current FortiOS versions, check logs, and remove internet-facing management where possible.

Here’s what companies should focus on:

Why the scale is worrying

The scary part isn’t only the number. It’s what a firewall controls.

Once attackers access a firewall or VPN, they may see routes into internal systems, create new accounts, watch traffic, or move deeper into a company’s network. Recorded Future says researchers linked the campaign to credential cracking, SSL VPN hash interception, and attempts to access internal Active Directory environments.

That means a firewall compromise can become more than a perimeter problem. It can become a business-wide breach.

Researchers also say the campaign hit organisations across many countries. TechCrunch reported that India, the United States, Taiwan, and Mexico appeared among the countries with the most affected devices, while victims existed worldwide.

Why South African companies should care

This may sound like a global enterprise story, but South Africa sits inside the same risk map.

Banks, retailers, telcos, logistics firms, universities, healthcare providers, and municipalities all depend on secure remote access. If attackers compromise a VPN, they can potentially turn remote work infrastructure into an entry point.

South Africa also has legal pressure around cybercrime. The Cybercrimes Act 19 of 2020 creates offences tied to cybercrime, harmful data messages, investigation powers, and cross-border cooperation.

Memeburn has also reported that South African organisations already face rising human-risk and AI-driven cyber concerns. In one report, 69% of security decision-makers expected AI-powered cyber attacks to target their organisations within 12 months.

So yes, this Fortinet case is global. But the lesson lands in Sandton, Cape Town, Durban, and every office with a remote-access login.

The bigger cybersecurity lesson

FortiBleed shows how modern cyberattacks don’t always need movie-style hacking.

Sometimes attackers win because companies delay password resets, skip MFA, leave admin panels online, or assume old breaches no longer matter. That’s not glamorous. It’s still dangerous.

The fix also isn’t glamorous. Companies need to rotate credentials, audit logs, close unnecessary external access, upgrade firmware, and check for suspicious admin accounts. Fortinet specifically warned customers to look for unexpected administrator access, unusual domain-controller activity, and unrecognised accounts.

This is where cybersecurity gets uncomfortable. The weakest link may not be the firewall. It may be the forgotten password policy behind it.

For South African businesses, the question is simple: if attackers tried your old VPN passwords tonight, would anything stop them?

FAQs

What is FortiBleed?

FortiBleed is the name researchers gave to a credential-harvesting campaign targeting Fortinet firewalls and VPN gateways. It allegedly exposed tens of thousands of FortiGate-related credentials. Fortinet says it is not tied to a new vulnerability.

Was Fortinet hacked?

Researchers say Fortinet devices used by companies were compromised, but Fortinet says the campaign reused credentials from previous incidents and brute-force attacks. That means the issue may sit more with exposed systems and weak account security than a fresh product flaw. The company says it is contacting impacted customers.

What should companies do now?

Companies should reset Fortinet admin and VPN passwords, enable multi-factor authentication, update FortiOS, and check logs for strange access. They should also remove public admin access where possible. Old passwords are not harmless if attackers still have them.