Online Access Credentials for 87,000 Fortinet VPN Devices Hacked via Old Security Flaw

Fortinet VPN Credentials Leaked in Massive Breach

A threat actor has leaked login credentials for over 87,000 Fortinet VPN devices, allegedly compromised through a critical vulnerability discovered two years ago.

The compromised credentials, tied to the known Fortinet VPN vulnerability (CVE-2018-13379), expose businesses across 74 countries including the United States, France, India, Italy, Israel, and Taiwan.

Cybersecurity experts warn that this large-scale Fortinet SSL VPN hack leaves thousands of enterprises at risk, particularly those that failed to apply patches and reset their login credentials after mitigation.

Details of the FortiGate VPN Breach

Last week, approximately 500,000 FortiGate SSL-VPN device credentials surfaced online, giving cybercriminals potential access to critical systems worldwide. It is estimated that around 22,500 organizations were impacted, with nearly 3,000 victims located in the United States.

The stolen data originated from devices vulnerable to CVE-2018-13379, a path traversal flaw in the FortiOS SSL VPN web interface. Unauthenticated attackers could exploit this bug by sending specially crafted HTTP requests, allowing them to download system files containing user login details.

Fortinet’s Response to the Security Breach

According to Fortinet security advisory updates, even patched systems may remain vulnerable if administrators failed to enforce mandatory credential resets.

“Fortinet is reaffirming that, even if you have upgraded your devices, you must execute the suggested user password reset upon upgrading. Otherwise, if your users’ credentials were previously compromised, you may remain susceptible after the upgrade.” – Fortinet

Cybersecurity researchers also linked the leaked data to a member of the Groove ransomware gang, who allegedly uploaded the FortiGate SSL-VPN credentials as part of ongoing ransomware campaigns.

FortiOS Versions at Risk

Organizations still running vulnerable versions of FortiOS remain at high risk. Impacted builds include:

• FortiOS 5.4.13

• FortiOS 5.6.14

• FortiOS 6.0.11

• FortiOS 6.2.8 and earlier

Fortinet strongly advises enterprise users to immediately update to the latest FortiOS versions and reset all login credentials to prevent unauthorized access.

How to Protect Against Fortinet VPN Vulnerabilities

Enterprises using Fortinet SSL VPN devices should take immediate steps to secure their infrastructure. Recommended actions include:

1. Upgrade FortiOS software to secure versions (5.4.13, 5.6.14, 6.0.11, 6.2.8, or later).

2. Reset all user and admin passwords after applying patches.

3. Review VPN logs for suspicious login attempts.

4. Enable multi-factor authentication (MFA) to strengthen login security.

5. Implement continuous dark web monitoring to detect stolen Fortinet VPN credentials.

Why the Fortinet VPN Security Breach Matters

This attack highlights how old vulnerabilities continue to pose risks long after patches are released. Businesses that delay patch management or fail to enforce password resets remain exposed to significant cybersecurity threats, including:

• Ransomware attacks

• Unauthorized network access

• Corporate data theft

• Reputational damage and compliance fines

Conclusion

The Fortinet VPN credential leak linked to CVE-2018-13379 reinforces a critical lesson for all organizations: patching alone is not enough. IT managers, CISOs, and CEOs must ensure that patches are paired with mandatory password resets, access monitoring, and multi-layered security controls.

Staying ahead of vulnerabilities like this is key to preventing breaches and maintaining trust in enterprise systems.