FortiBleed Warning: What Australian Businesses Need to Know About Fortinet Firewall and VPN Exposure

,
forti bleed news

The Australian Cyber Security Centre has issued a critical alert for organisations using Fortinet firewalls and VPN gateways, following reports of a widespread credential-based attack campaign known as FortiBleed.

For many Australian businesses, firewalls and VPNs are the front door into the network. If those systems are not properly maintained, patched, monitored, and protected with strong authentication, attackers may be able to gain access using stolen or weak credentials.

This is not something businesses should ignore.

What is FortiBleed?

FortiBleed refers to a reported campaign targeting Fortinet firewall and VPN devices. The concern is that attackers may be using exposed or previously compromised credentials to access internet-facing Fortinet systems.

Once an attacker has valid login details, they may not need to “hack” their way in. They can simply log in like a normal user or administrator.

That is what makes this type of attack so dangerous. Even if the firewall itself is not affected by a brand-new vulnerability, poor password hygiene, missing multi-factor authentication, outdated firmware, or exposed admin portals can still put the organisation at risk.

Why this matters for businesses

A firewall is not just another piece of IT equipment. It controls access between your business network and the outside world.

If a firewall or VPN gateway is compromised, an attacker may be able to:

  • Access the business network remotely
  • Change firewall or VPN settings
  • Create new user accounts
  • Disable or weaken security controls
  • Monitor network traffic
  • Use the device as a stepping stone into servers, files, email systems, or cloud services
  • Attempt lateral movement through Active Directory or other internal systems

For small and medium businesses, this can quickly become a serious incident. A stolen firewall login can lead to data theft, ransomware, downtime, and expensive recovery work.

Fortinet says this is not a new vulnerability

Fortinet has stated that its initial analysis suggests this campaign is not related to a new Fortinet vulnerability or a recent advisory.

Instead, the activity appears to involve attackers reusing credentials from previous incidents and using brute-force techniques against devices with weak password practices or no multi-factor authentication.

In plain English, that means the issue may come down to exposed credentials, old passwords, weak passwords, unpatched systems, or poor firewall management practices.

That does not make the risk any less serious.

What should businesses do now?

If your organisation uses Fortinet firewalls or VPN services, the safest approach is to treat this as urgent and review your environment immediately.

Recommended actions include:

1. Reset admin and VPN passwords

All Fortinet administrator and VPN user passwords should be changed, especially for internet-facing systems.

This should include:

  • Firewall administrator accounts
  • VPN user accounts
  • Local firewall users
  • Shared or legacy accounts
  • Any accounts that have not had a password change in a long time

Passwords should be unique, strong, and not reused anywhere else.

2. Enable multi-factor authentication

Multi-factor authentication should be enabled for administrator access and VPN users.

MFA helps reduce the risk of a stolen password being enough to access the network. It is one of the simplest and most effective protections businesses can put in place.

If VPN access does not currently require MFA, that should be treated as a priority.

3. Patch and update Fortinet devices

Fortinet devices should be updated to supported firmware versions.

Older firmware can expose businesses to known vulnerabilities and weaker security controls. Updates also help ensure newer protections, including stronger password hashing options, are available.

Before upgrading, businesses should follow proper change control, back up the firewall configuration, and confirm compatibility with their environment.

4. Check for unknown accounts or configuration changes

Businesses should review their firewall and VPN configuration carefully.

Look for:

  • Unknown administrator accounts
  • Unknown VPN users
  • Suspicious account names
  • Recent password resets
  • New firewall policies
  • New VPN portals or groups
  • Changes to remote access settings
  • Changes to security profiles
  • Disabled logging or weakened security controls

If there is a known good backup configuration, compare the current configuration against it.

5. Review firewall and authentication logs

Logs should be checked for suspicious activity.

Pay attention to:

  • Admin logins from unknown IP addresses
  • VPN logins from unusual countries or locations
  • Failed login spikes
  • Login attempts outside business hours
  • New users being created
  • Configuration changes
  • Unexpected access to domain controllers or internal systems

If the Fortinet device integrates with Active Directory or LDAP, those credentials and related authentication logs should also be reviewed.

6. Restrict firewall management access

Firewall management interfaces should not be exposed to the internet unless absolutely necessary.

Where possible, management access should be limited to trusted IP addresses, secure management networks, or VPN-only access.

A firewall admin portal that is open to the internet gives attackers more opportunity to attempt credential-based attacks.

The bigger lesson for businesses

This incident is a reminder that security is not just about buying a firewall.

A firewall still needs to be:

  • Properly configured
  • Regularly patched
  • Protected with MFA
  • Monitored for suspicious activity
  • Backed up
  • Reviewed after major security alerts
  • Managed by people who understand the risks

Many businesses assume that having a firewall means they are protected. In reality, a poorly maintained firewall can become one of the biggest risks in the environment.

How Accel IT can help

Accel IT helps Australian businesses secure, manage, and monitor their IT environments, including firewalls, VPN access, Microsoft 365, endpoint security, backups, and user accounts.

If your business uses Fortinet or another firewall platform, we can assist with:

  • Firewall security reviews
  • VPN and MFA configuration
  • Firmware update planning
  • Log review and suspicious activity checks
  • Admin access hardening
  • Microsoft 365 and Active Directory security checks
  • Backup and disaster recovery planning
  • Ongoing managed IT support and monitoring

If you are unsure whether your firewall or VPN is exposed, now is the time to check.

Need help reviewing your firewall security?

If your business uses Fortinet firewalls or VPN access and you are not sure whether you are protected, contact Accel IT for a security review.

A quick review today can help prevent a much bigger problem tomorrow.