Firewalls are often treated as the first line of defence. They control traffic, enforce access rules and protect the edge of the enterprise network. But when an edge security device is misconfigured, exposed or operated with weak credentials, it can become something much more dangerous: a credential collection point.

That is the core lesson from FortiBleed, a large-scale credential-harvesting campaign targeting Fortinet FortiGate firewalls and VPN gateways. According to reports based on SOCRadar’s research, the operation targeted more than 430,000 FortiGate devices and involved the processing of more than 110 million credentials across different authentication flows.

The campaign does not appear to be a classic “new firewall zero-day” story. Fortinet has stated that the reported activity is not tied to a current product vulnerability or advisory. Instead, the company links the issue to exposed services, weak passwords, previously leaked credentials, credential stuffing and the absence of multi-factor authentication.

That distinction matters. FortiBleed shows that attackers do not always need a fresh exploit when the edge is already reachable, poorly protected or carrying reusable credentials. A firewall or VPN appliance sits in a privileged position. It sees authentication attempts, remote access flows, internal service connections and sometimes sensitive protocol exchanges. If compromised, that device can offer visibility into identity traffic as well as network traffic.

The reported attack chain is straightforward but effective. Threat actors identify exposed FortiGate systems, attempt credential stuffing or brute-force access, gain control where weak credentials are present, and then use sniffing mechanisms to capture traffic passing through compromised devices. Reports reference the collection of data linked to protocols and identity mechanisms such as RADIUS, NTLM, Kerberos and database authentication flows.

From an enterprise risk perspective, the issue is not limited to one firewall appliance. Harvested credentials can be reused against VPN portals, Active Directory environments, internal applications, cloud services and partner-managed infrastructure. This is why MSPs, MSSPs, IT service providers, public sector organisations, manufacturers, telecom operators, financial institutions and defence-related environments should treat the campaign seriously.

The business impact can be significant. A compromised edge device may support lateral movement, domain compromise, customer-environment access, data theft or downstream compromise through managed service relationships. For organisations that centralise remote access through firewall and VPN infrastructure, credential exposure at the edge can quickly become an identity-layer incident.

Immediate response should start with exposure review. Organisations should identify internet-facing FortiGate management and VPN services, restrict administrative access, enforce MFA, rotate administrator and VPN credentials, and review failed and successful login activity. Firmware should also be kept current, even if this campaign is not being presented as a new zero-day.

Detection should focus on abnormal login patterns, repeated authentication failures, suspicious SSH access, unexpected diagnostic or packet capture activity, and unusual traffic from firewall management interfaces. Where possible, FortiGate logs should be forwarded into a central telemetry pipeline for correlation with identity, VPN and endpoint activity.

FortiBleed is a practical reminder that firewall security is no longer only about packet filtering or policy hygiene. Edge devices now sit at the intersection of identity, remote access and internal network visibility. If that layer is weak, the firewall can shift from being a control point to becoming a credential-harvesting platform.

The takeaway is simple: harden the edge, enforce MFA, monitor authentication flows, rotate exposed credentials and treat firewall telemetry as a critical part of the security operations stack.