In June 2026, the UK's National Cyber Security Centre (NCSC) issued an alert about a global campaign targeting Fortinet firewalls and VPN gateways - the devices many organisations use to protect their networks and allow staff to connect remotely. The NCSC confirmed that a database of credentials had been leaked by a threat actor following brute-force, dictionary and credential stuffing attempts against internet-facing FortiGate and VPN portals, with some indications of impact in the UK.
Security researchers have since quantified the scale of the campaign. Now nicknamed "FortiBleed', it is reported to have compromised somewhere between 30,000 and 75,000 devices across 194 countries. One analysis placed the figure at over 73,000 unique Fortinet firewall URLs and described an extraordinary volume of automated attempts: an estimated 1.16 billion credential-based attempts against more than 320,000 FortiGate targets.
Importantly, this was not a sophisticated exploit of a hidden flaw in Fortinet's software. Researchers found no evidence of a Fortinet zero-day or a breach of Fortinet itself. Instead, attackers relied on something far simpler and far more common: credential stuffing, password spraying, brute-force attempts, and reused passwords from prior leaks. In plain terms, attackers took passwords stolen in earlier, unrelated breaches and tried them, at industrial scale, against the login pages of firewalls and VPNs exposed to the open internet. Where a password had been reused, the door simply opened.
There is also a worrying dimension: experts note that adversaries are leveraging generative AI to automate these attacks, adopting tactics typically associated with nation-state actors. Capabilities once reserved for sophisticated state-backed groups are increasingly available to ordinary criminal operations.
Why does this matter?
Think of a firewall or VPN gateway as the front door and security desk of a company's digital building. Almost everything else - email, file servers, customer databases, finance systems, factory control systems - sits behind it. It is designed to be the mechanism that keeps unauthorised people out whilst allowing legitimate staff in.
When that front door is compromised, an attacker does not just see the lobby. They can often walk straight into back offices with elevated privileges, because these devices typically hold powerful administrative access by design.
For a business, the practical consequences of this kind of compromise can include:
- Operational disruption - production lines, logistics, or customer-facing systems going offline.
- Data theft - customer records, intellectual property, or financial data extracted before anyone notices.
- Ransomware as the second act - initial access via a compromised VPN is one of the most common ways ransomware gangs get a foothold, often weeks or months before the ransomware itself is deployed.
- Regulatory and reputational fallout - breach notification obligations, client trust damage, contract and insurance implications.
- Knock-on risk to partners and customers - compromised networks are frequently used as a launchpad to attack suppliers, clients, or other connected organisations.
What this trend represents more abstractly
This incident is not really a story about Fortinet specifically. Fortinet's own systems were not breached - and the same pattern has played out against other vendors. Researchers note a near-identical campaign in thesame period targeting enterprise VPN authentication infrastructure, specifically Palo Alto Networks GlobalProtect and Cisco SSL VPN gateways, and the NCSC has separately issued advisories about attacks on Cisco firewall platforms.
The real story is structural, and it points to three broader shifts:
- The perimeter is the target now, not just the destination. For years, security strategy assumed the firewall was a static, trustworthy barrier. Attackers have recognised that the wall itself - its login page, its credential store, its management interface – can be the single richest target in the entire network. Compromise the gatekeeper, and you inherit its trust.
- Human and process failure outpaces technical failure. This was not a brilliant exploit. It was password reuse, weak credential hygiene, and internet-exposed administrative panels - entirely preventable, well-understood weaknesses that organisations have been advised to address for over a decade. The technology generally worked as designed; the operational discipline around it did not.
- Automation and AI are collapsing the cost of attack. Billions of login attempts, organised credential databases sorted by country, sector, and revenue, and AI-assisted automation represent industrial-scale opportunism. Attackers no longer need to specifically target your organisation; they need only to know you exist, use a familiar product, and have a reused password somewhere in its history.
Taken together, this represents a shift from attacks requiring skill and patience to attacks requiring only scale and persistence - a far larger and more enduring threat for every organisation with an internet-facing footprint, regardless of size or perceived importance.
Strategic recommendations for organisations
The NCSC's technical guidance is sound and immediately actionable. Translated into management priorities, organisations should:
- Treat edge devices as crown jewels, not commodity IT. Firewalls, VPN gateways, and other internet-facing infrastructure should receive the same governance attention, patching discipline, and monitoring as your most sensitive applications, because they are, functionally, the master key to everything behind them.
- Get the basics right, and verify they are actually being followed. Change all default, generic, or reused administrator passwords and ensure multi-factor authentication is enforced on all VPN and device management logins. These are not aspirational best practices; they are the specific gaps this campaign exploited. Audit, do not assume.
- Take admin interfaces off the public internet. Ensure management interfaces are not exposed to the internet and restrict access to trusted internal networks. There is rarely a good reason for a firewall's management console to be reachable by anyone with a browser and an internet connection.
- Keep technology current - and retire what cannot be. Update to the latest version and remove out- of-support systems as soon as practicable. Unsupported, unpatched edge devices are a standing invitation to attackers.
- Assume compromise, then verify you are wrong. Do not wait for visible symptoms. Determine whether your Fortinet device has been compromised by checking for common indicators of compromise, including unauthorised account creation and unexpected activity in log files. Investigate devices reachable from the compromised device and monitor firewall logs for suspicious activity to confirm the breach has not spread further into the network.
- Build credential hygiene into culture, not just policy. Password reuse is a human behaviour problem as much as a technical one. Password managers, mandatory MFA, and regular credential rotation for privileged accounts should be non-negotiable for any account with administrative reach.
- Subscribe to early warning services. Free resources such as the NCSC's Early Warning service exist specifically to give organisations advance notice of a cyber incident before it escalates. Use them.
- Plan for the next vendor, not just this one. Because this is a pattern, not an isolated event, boards and leadership teams should ask: if our other internet-facing infrastructure were targeted tomorrow in the same way, would we know, and could we respond? That question, asked regularly, is more valuable than any single patch.
The bottom line
This campaign is a reminder that the most common point of failure in cyber security is rarely the exotic, headline-grabbing exploit. It is the neglected basics; a reused password, an exposed login page, a missed update. The scale here - tens of thousands of devices, billions of automated attempts, AI-assisted operations rivalling nation-state tradecraft - shows that attackers no longer need sophistication when scale and persistence will do. For every organisation that relies on a firewall or VPN to secure its network (which is to say, nearly every organisation), the lesson is not 'switch vendors'. It is lock the front door properly and check regularly that it is still locked.