CISA has issued an urgent alert regarding a global cyber incident, dubbed 'FortiBleed,' involving the exposure of approximately 74,000 Fortinet device credentials. Malicious actors are using these compromised credentials to target internet-accessible Fortinet devices in government and private sector organizations. CISA strongly recommends immediate actions for affected customers, including terminating all sessions, resetting passwords with strong policies, enabling phishing-resistant multifactor authentication, reviewing logs for suspicious activity, and restricting management interface access.
Effective date
2026-06-18
Action required
Impacted Fortinet customers must immediately terminate active SSL VPN and administrative sessions, reset all Fortinet VPN and administrative passwords, ensure secure credential storage, review logs, enable phishing-resistant MFA, and reduce the attack surface by locking down management access.
Binding status
advisory
Governing body
Cybersecurity and Infrastructure Security Agency
Direction
clarifying
Innovation impact
neutral
Compliance requirements
Audit requirements
- Review firewall, VPN, authentication, and domain controller logs for lateral movement, unusual access, suspicious accounts, or unauthorized configuration changes.
Affected industries
Affected roles
"To defend against this malicious cyber activity, CISA urges impacted Fortinet customers with FortiGate appliances and associated secure sockets layer (SSL) VPN gateways to immediately: Terminate sessions and reset credentials."
Enriched 2026-06-18
Stay informed
Get daily intelligence briefs on this and related regulatory developments.