Tens of thousands of Fortinet firewalls allegedly hacked in global corporate breach

Cybercriminals claim to have breached tens of thousands of Fortinet firewalls used by major companies around the world, TechCrunch reports. The claim surfaced on an underground forum; if confirmed, the incident would be one of the largest corporate security breaches of recent years.

Fortinet, along with Cisco and Palo Alto Networks, is one of the top three players in the enterprise firewall market. Its FortiGate hardware lines are deployed across a wide range of institutions, from banks to universities, government agencies to broadcasters. The company's latest report cites more than 700,000 active devices worldwide.

The claim comes from an actor calling itself the "Belsen Group" on the underground forum. The group says it exploited a vulnerability in certain versions of the FortiOS operating system to extract credentials from 87,000 devices. A sample file released includes IP addresses, administrator usernames and VPN configuration data.

Fortinet told TechCrunch it is "reviewing the reports and contacting affected customers". The company said the leak may be linked to a CVE patched in 2024, meaning that devices that have not been updated are at risk. Whether any fully patched devices are also affected is not yet clear.

Experts say that if the breach is confirmed, the impact will not be limited to data loss. Firewalls usually sit at an organisation's network entry point; a compromised firewall can be used as a stepping-stone to internal servers, email systems and databases. The second-stage attack is what makes this dangerous.

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to immediately audit FortiGate devices and review logs for suspicious activity. CISA noted that the affected versions are widely deployed across federal networks and that a successful follow-on attack would have national-security implications.

Security researcher Brian Krebs wrote on his blog: "The attacker strategy is shifting; they used to steal data and sell it, now they sell access." Krebs said the Belsen Group is asking $2,000,000 for the 87,000-device package on the underground forum and that potential buyers could include cyber-espionage groups, ransomware crews or state-linked actors.

Fortinet shares fell 7.4% on US markets after the breach was reported. Analysts say the incident could damage the company's long-term customer trust. Cisco and Palo Alto Networks closed higher on expectations of share-gain. Fortinet's reported May-quarter revenue was $1.68 billion.

The incident is also forcing corporate customers to rethink their security playbooks. Many institutions are moving towards "multi-vendor security" strategies to reduce single-supplier risk. The trade-off between the cost benefits of buying firewall, antivirus, email filter and endpoint protection from one vendor and the consolidated risk is again on the table.

Experts list the immediate steps for any institution that may be affected: update devices to the latest version; rotate all admin passwords; share the past three months of logs with independent analysts; rotate VPN certificates; and consider rolling back to a known-clean configuration. The full scale of the incident will become clearer in the days ahead.