FortiBleed is a clear warning for every organization that still depends on VPNs, perimeter devices, shared credentials, and broad administrative access to protect critical environments.

Global cybersecurity agencies have warned that attackers are targeting internet-facing Fortinet firewalls and VPN gateways using compromised credentials. The campaign, known as FortiBleed, reportedly involves leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and VPN gateways. Other reporting estimates the scope may be even higher, with researchers identifying more than 86,000 confirmed working credentials across 194 countries.

The most important point is that FortiBleed is not being described as a new Fortinet zero-day. Fortinet has said the activity is tied to credential harvesting, brute-force activity, and data from previous incidents — not a new advisory or recent incident.

That makes the lesson even more important.

Attackers do not always need to exploit a new vulnerability. If they have valid credentials, they can simply log in.

What Makes FortiBleed So Concerning

FortiBleed appears to reflect a broader shift in attacker behavior: stolen identities are becoming the path of least resistance.

According to public reporting, researchers found evidence of password theft affecting Fortune 500 companies and government agencies across more than 15 countries. Hudson Rock described the scale as “staggering,” and Reuters reported that the campaign potentially gave attackers a way to penetrate deeper into affected organizations and steal data.

Agencies in the U.S., U.K., and Australia warned that attackers are actively targeting internet-facing Fortinet devices with compromised credentials, allowing them to bypass perimeter defenses and gain direct entry into enterprise networks.

This is what makes FortiBleed different from a traditional vulnerability story. The firewall is not simply the thing being attacked. It becomes the access path.

Once credentials work, attackers may be able to reach VPN portals, administrative interfaces, internal systems, Active Directory environments, and other high-value resources. That turns credential exposure into a breach-containment problem.

What CISA Told Organizations to Do

CISA’s guidance is direct. Impacted Fortinet customers should immediately terminate active SSL VPN and administrative sessions, reset Fortinet VPN and administrative passwords, confirm secure credential storage using PBKDF2, review firewall/VPN/authentication/domain-controller logs, enable phishing-resistant MFA, and restrict firewall management interfaces from public internet access.

Those steps are essential. But they are still mostly emergency hardening.

The bigger strategic question is this:

What happens the next time credentials are stolen?

If a stolen VPN or administrator credential can still provide broad access to the network, then the organization has not solved the underlying problem. It has only reset the clock.

The Bigger Lesson: Credentials Still Have Too Much Power

FortiBleed shows the weakness of perimeter-based access models.

A VPN credential should not allow broad internal access.
An admin credential should not unlock entire environments.
A third-party account should not see systems outside its scope.
A compromised identity should not enable lateral movement.
A firewall or VPN should not become a master key to the enterprise.

This is exactly why organizations are moving toward Zero Trust.

Zero Trust assumes credentials can be stolen. It assumes networks can be compromised. It assumes attackers may already be inside. Then it limits every identity, every session, every application, and every machine-to-machine connection to only what is explicitly authorized.

How Xage Security Zero Trust Identity Fabric Helps

Xage Security Zero Trust Identity Fabric helps organizations reduce the risk exposed by FortiBleed by making stolen credentials far less useful.

Instead of relying on broad VPN access, jump boxes, shared credentials, and implicit network trust, Xage enforces identity-based Zero Trust controls across users, vendors, administrators, machines, applications, OT systems, AI agents and apps, cloud resources, data centers, and critical infrastructure.

With Xage, organizations can:

• Replace VPNs and jump boxes with Zero Trust secure remote access.
• Enforce phishing-resistant MFA, SSO, role-based access, just-in-time access, and just-enough access.
• Limit each user, administrator, or vendor to only the specific systems they are authorized to access.
• Restrict which applications, protocols, and resources a user can use.
• Hide unauthorized systems from users and attackers.
• Eliminate or reduce shared credentials.
• Protect, rotate, and orchestrate privileged credentials.
• Record privileged sessions and tie every action to a verified identity.
• Maintain tamperproof audit logs for compliance and forensics.
• Microsegment with defense-in-depth
• Prevent lateral movement with user-to-machine, user-to-application, and machine-to-machine controls.
• Reduce attack surface by removing broad network access and unnecessary exposure.

The key point is simple: Xage makes it hard to steal credentials by constantly rotating them, and even if they are compromised, Xage limits what those credentials can do.

A compromised account should not be able to see the whole network. It should not be able to reach unrelated systems. It should not be able to use unauthorized protocols. It should not be able to move laterally from a remote access gateway into critical infrastructure. And it should not be able to make privileged changes without policy enforcement, verification, monitoring, and auditability.

From Credential Reset to Zero Trust Control

CISA’s FortiBleed guidance is the right immediate response: reset credentials, terminate sessions, harden credential storage, review logs, enforce phishing-resistant MFA, and lock down public management access.

But the long-term answer is not just better password hygiene.

Organizations need an access architecture that assumes credentials may be stolen and still prevents those credentials from becoming a path to enterprise-wide compromise.

FortiBleed should be a wake-up call.

Stolen credentials should never become a master key.

Xage Security Zero Trust Identity Fabric helps make sure they are not.