Back to news
Cybersecurity Alert
June 19, 2026 by EmailMeNow IT Consulting

NCSC Alert: Global Fortinet Firewall and VPN Gateway Campaign — What U.S. Organizations Should Do Now

The UK NCSC warns organizations using Fortinet edge devices to check for FortiBleed credential leaks, isolate compromised firewalls, and factory-reset before re-commissioning with MFA and PBKDF2.

Source: UK National Cyber Security Centre (NCSC)

CybersecurityFortinetVPNNetwork SecurityTexas
Cybersecurity alert about Fortinet firewall and VPN gateway targeting

The UK National Cyber Security Centre (NCSC) published an alert on June 18, 2026 urging organizations using Fortinet firewalls and VPN gateways to investigate whether they were caught in a global credential-stuffing campaign. TechCrunch separately reported that tens of thousands of Fortinet devices worldwide may have been compromised.

Read the original NCSC alert:
https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways

What Happened

Threat actors conducted brute-force, dictionary, and credential-stuffing attacks against internet-facing FortiGate SSL VPN portals. A database of stolen credentials was subsequently leaked — meaning passwords reused from other breaches may have unlocked VPN and management interfaces.

Credential stuffing works when employees reuse the same username and password across services. A password stolen from an unrelated breach can unlock your VPN if MFA is not enforced.

Who Is Affected

Any organization running Fortinet edge devices with SSL VPN enabled should treat this as an active investigation priority — including law firms, healthcare providers, financial advisors, and local government agencies that rely on FortiGate appliances for remote access.

NCSC recommends checking your domains against public FortiBleed asset checkers (SOCRadar and Hudson Rock publish tools referenced in the alert).

Priority Actions

  1. Confirm device ownership — verify any FortiGate hostnames discovered by FortiBleed checkers belong to your organization.
  2. Hunt for compromise — look for unauthorized account creation, unexpected configuration changes, and anomalous VPN logins.
  3. Isolate if compromised — disconnect the device from the internet and internal networks immediately.
  4. Factory reset — changing passwords alone may not remove attacker persistence; reset to factory defaults after preserving logs and configs for investigation.
  5. Investigate lateral movement — review systems reachable from the compromised firewall and monitor logs for follow-on activity.
  6. Harden before re-commissioning:
    • Do not expose management interfaces to the internet.
    • Patch to the latest supported firmware.
    • Replace default or reused administrator passwords.
    • Enforce MFA on all VPN and admin logins.
    • Enable PBKDF2 for administrator password hashing and force all admins to re-authenticate.

Why Texas Businesses Should Care

Fortinet appliances are common in mid-market and enterprise networks. A compromised VPN gateway is often the first step in business email compromise, ransomware deployment, and data exfiltration — the same incident patterns we track in Texas OAG breach reports and law firm breach summaries.

Remote-access appliances are only as strong as your email authentication and MFA posture across the organization. If attackers obtain VPN access, they can pivot to Microsoft 365, client portals, and wire-transfer workflows.


Protect your organization.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com to review DMARC, SPF, DKIM, and transport security — and contact EmailMeNow IT Consulting for VPN hardening, MFA rollout, and incident response planning.


Source: NCSC — Advice following global targeting of Fortinet firewalls and VPN gateways