Skip to main content

Suspected user credentials stolen from FortiNet devices leaked online

A malicious cyber actor has leaked a list of suspected user credentials and IP address of the associated FortiNet SSL VPN device the credentials are used for. Organisations should review the patch status and history of internet exposed FortiNet SSL VPN devices and consider performing a password reset for affected users.

Alert status

Background /What has happened?

A malicious cyber actor has released a list of FortiNet virtual private network (VPN) devices and user credentials which the actor claims are valid and would allow a remote cyber actor access to the network located behind the VPN device.

It is reported that the credentials were stolen utilising a vulnerability in FortiOS (CVE-2018-13379)

Mitigation / How do I stay secure?

Organisations who have an internet accessible FortiNet SSL VPN device should ensure the device patches are up to date.

The ACSC recommends organisations review their patching history to identify possible periods of exposure to CVE-2018-13379 and other relevant FortiNet vulnerabilities, including CVE-2020-12812 and CVE-2019-5591. Organisations should also review the linked FortiNet security advisories for the list of specific FortiNet products affected by these vulnerabilities as well as vendor recommended mitigations, if devices are still vulnerable.

It is unknown exactly when the suspected exploitation activity occurred for each identified FortiNet device in the list. Organisations should consider conducting a password reset for users of FortiNet SSL VPN devices, particularly if patch history identifies extended periods of vulnerability. Organisations should also consider reviewing authentication logs and user activity for signs of suspicious activity related to malicious use of the leaked credentials.

Assistance / Where can I go for help?

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371).

Was this information helpful?
Was this information helpful?

Thanks for your feedback!


Tell us why this information was helpful and we’ll work on making more pages like it