The UK National Cyber Security Centre (NCSC) published an alert on June 18, 2026 urging organizations using Fortinet firewalls and VPN gateways to investigate whether they were caught in a global credential-stuffing campaign. TechCrunch separately reported that tens of thousands of Fortinet devices worldwide may have been compromised.
Read the original NCSC alert:
https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways
What Happened
Threat actors conducted brute-force, dictionary, and credential-stuffing attacks against internet-facing FortiGate SSL VPN portals. A database of stolen credentials was subsequently leaked — meaning passwords reused from other breaches may have unlocked VPN and management interfaces.
Credential stuffing works when employees reuse the same username and password across services. A password stolen from an unrelated breach can unlock your VPN if MFA is not enforced.
Who Is Affected
Any organization running Fortinet edge devices with SSL VPN enabled should treat this as an active investigation priority — including law firms, healthcare providers, financial advisors, and local government agencies that rely on FortiGate appliances for remote access.
NCSC recommends checking your domains against public FortiBleed asset checkers (SOCRadar and Hudson Rock publish tools referenced in the alert).
Priority Actions
- Confirm device ownership — verify any FortiGate hostnames discovered by FortiBleed checkers belong to your organization.
- Hunt for compromise — look for unauthorized account creation, unexpected configuration changes, and anomalous VPN logins.
- Isolate if compromised — disconnect the device from the internet and internal networks immediately.
- Factory reset — changing passwords alone may not remove attacker persistence; reset to factory defaults after preserving logs and configs for investigation.
- Investigate lateral movement — review systems reachable from the compromised firewall and monitor logs for follow-on activity.
- Harden before re-commissioning:
- Do not expose management interfaces to the internet.
- Patch to the latest supported firmware.
- Replace default or reused administrator passwords.
- Enforce MFA on all VPN and admin logins.
- Enable PBKDF2 for administrator password hashing and force all admins to re-authenticate.
Why Texas Businesses Should Care
Fortinet appliances are common in mid-market and enterprise networks. A compromised VPN gateway is often the first step in business email compromise, ransomware deployment, and data exfiltration — the same incident patterns we track in Texas OAG breach reports and law firm breach summaries.
Remote-access appliances are only as strong as your email authentication and MFA posture across the organization. If attackers obtain VPN access, they can pivot to Microsoft 365, client portals, and wire-transfer workflows.
Related trackers
- Texas OAG YTD dashboard
- Healthcare AG breach tracker
- Law firm breach tracker
- Financial services tracker
- Monitoring guide
- Washington healthcare breaches (2026)
- Washington law firm breaches (2026)
- CA June roundup
- TX July roundup
- WA May roundup
- TX Parks breach
- Have I Been Pwned
- HIBP July roundup
- All trackers
Protect your organization.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com to review DMARC, SPF, DKIM, and transport security — and contact EmailMeNow IT Consulting for VPN hardening, MFA rollout, and incident response planning.
Source: NCSC — Advice following global targeting of Fortinet firewalls and VPN gateways