Security Alert - FortiBleed Credential Leak Incident: Over 70,000 Fortinet Devices Suspected to Be Affected by Data and Credential Exposure, Hong Kong Organisations May Be Affected

Release Date: 18 Jun 2026 2666 Views

Type: Malware

Security Alert

Current Status and Related Trends

HKCERT alerts organisations to a recent credential leakage incident known as FortiBleed. The incident involves the exposure of data and credentials related to Fortinet firewalls and VPN devices.

 

According to recent threat intelligence and media reports, attackers are suspected to have obtained a large number of valid login credentials for Fortinet devices. These credentials may be used to gain unauthorised access to affected organisations’ devices and internal networks. Research also suggests that attackers may be conducting automated testing using previously leaked usernames and passwords to identify Fortinet credentials that remain valid. In some cases, the management interfaces of affected devices are directly exposed to the Internet, further increasing the risk of compromise.

 

If attackers successfully gain access to such devices, they may use them to further access the organisation’s internal network, conduct lateral movement, steal additional account information, modify system settings, or deploy malware, ransomware, or other backdoors on internal systems. This may pose further risks to business operations and information security.

 

The incident is reported to affect devices in more than 194 countries, and the leaked data may involve approximately 74,000 Fortinet devices. Based on publicly available information, some organisations in Hong Kong may also be affected.

    HKCERT urges all organisations using Fortinet firewalls and VPN-related devices to review their risk exposure immediately. Organisations may also check whether their domain appears in the relevant dataset through the following website to assess whether they may be affected by the data leakage incident:

     

    HKCERT recommends that organisations take the following actions:

    • Check immediately whether their organisation’s domain(s) appears on the affected list via the above website
    • Change the passwords of all Fortinet administrator accounts and VPN accounts immediately
    • Check whether the same passwords have been reused on other systems and change them as appropriate
    • Enable multi-factor authentication for all administrative and remote access accounts
    • Review login records, audit logs and configuration change records for any abnormal activity
    • Avoid exposing management interfaces directly to the Internet, and restrict administrative access by IP allowlisting or other access control measures
    • Activate incident response procedures immediately if any unauthorised access is suspected

     

    If an organisation suspects that data relating to its Fortinet devices has been exposed, it should immediately:

    • Change the passwords of all relevant administrator, VPN and privileged accounts
    • Invalidate existing login sessions and rotate any potentially affected credentials
    • Check for abnormal logins, newly created accounts, or unauthorised configuration changes
    • Isolate affected devices where necessary, and investigate whether the internal network has been compromised
    • Preserve relevant logs and evidence for further analysis and reporting

     

    Businesses or members of the public who wish to report to HKCERT on information security related incidents such as malware, phishing, denial of service attacks, etc. can do so by completing the online form at: https://www.hkcert.org/incident-reporting, or calling the 24-hour hotline at +852 8105 6060. For further enquiries, please contact HKCERT at [email protected].

    Related Tags

    Risk AlertFortinet

    Share with

    We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

    PRIVACY POLICY