A large-scale cyberattack campaign has reportedly targeted nearly 75,000 Fortinet firewall and VPN devices across more than 15 countries, raising concerns about the exposure of government agencies and major enterprises that rely on the technology to secure remote access and internal networks.
According to security researchers cited in recent reports, attackers leveraged stolen credentials and password abuse techniques to gain access to internet-facing Fortinet systems rather than exploiting a newly discovered software vulnerability.
The campaign allegedly affected organizations across multiple sectors, including government and critical business operations, with impacted devices concentrated primarily in the United States, India, and Taiwan.
Thousands of internet-facing devices exposed
Researchers reported that approximately 75,000 Fortinet appliances fell within the scope of the campaign. The targeted devices included firewalls and VPN gateways commonly used by organizations to protect corporate networks and provide remote access for employees.
Hudson Rock, a cybersecurity firm that tracks cybercriminal activity and infostealer malware infections, reportedly identified a large number of exposed credentials associated with Fortinet systems.
The company said the attacks extended across multiple industries and government sectors, increasing the risk that threat actors could gain unauthorized access to sensitive information, internal systems, or administrative functions.
Several affected credentials were allegedly linked to government organizations, including accounts associated with public sector entities in Puerto Rico and other jurisdictions.
The disclosure also follows reports of continued targeting of internet-facing Fortinet infrastructure. Earlier this month, BreachNews reported on an alleged compromise involving Argentine Army Fortinet SSL VPN infrastructure, highlighting the ongoing interest threat actors have in remote access systems used by government and enterprise organizations.
Fortinet says no new vulnerability involved
Fortinet acknowledged the activity but stated that the campaign was not tied to any newly discovered security flaw in its products.
According to the company, attackers appear to be relying on previously leaked credentials, password reuse, and automated password guessing techniques to gain access to exposed systems.
Credential stuffing attacks remain one of the most common methods used against VPN and firewall appliances, particularly when organizations fail to rotate passwords after employee credentials are exposed through infostealer malware infections or unrelated third-party breaches.
The campaign follows a series of attacks targeting internet-facing enterprise infrastructure. Earlier this month, BreachNews reported on active exploitation of a Check Point VPN vulnerability and growing efforts by threat actors to gain initial access through remote access technologies.
Researchers identify potential criminal links
Security researcher Bob Diachenko reportedly discovered data associated with the campaign on an exposed internet server, providing additional visibility into the scale of the operation.
Technical analysis of the infrastructure allegedly uncovered scripts and tooling containing Russian-language elements. While such indicators do not definitively identify the operators, researchers noted they may suggest links to Russian-speaking cybercriminal groups.
No threat actor has publicly claimed responsibility for the campaign, and attribution remains unconfirmed.
Password security remains a critical weakness
The incident highlights a growing trend in which attackers increasingly rely on stolen credentials rather than software exploits to compromise enterprise environments.
Credential theft continues to be a major source of enterprise compromises. BreachNews recently covered a large-scale credential theft campaign identified by Cisco Talos, highlighting the increasing role stolen credentials play in modern intrusions.
Security experts recommend organizations enforce multi-factor authentication on all remote access systems, disable unused accounts, rotate credentials exposed in third-party breaches, and continuously monitor authentication logs for suspicious activity.
While there is currently no evidence that Fortinet itself was breached, the campaign demonstrates how previously compromised credentials can provide attackers with a pathway into otherwise well-protected networks.
