2,645 Fortinet Devices Hacked—And the Culprit Wasn’t a Zero-Day, It Was ‘admin3:123456’ + Video

By /

Listen to this Post

Featured Image

Introduction

In a stark reminder that cybersecurity’s weakest link often lies between the keyboard and the chair, a recent large-scale credential theft campaign has compromised an estimated 74,000 Fortinet firewalls worldwide. Security researcher Volodymyr Diachenko uncovered the operation, which targeted over 320,000 internet-accessible Fortinet devices using 1.16 billion username and password combinations. While sophisticated brute-force techniques and GPU clusters were employed, the core vulnerability wasn’t a complex zero-day—it was the staggering prevalence of weak, default, and easily guessable credentials. The now-infamous example of “admin3:123456” among 2,645 breached devices perfectly encapsulates this crisis.

Learning Objectives

  • Understand the critical distinction between software vulnerabilities and credential-based attack vectors in network security.
  • Learn how to identify, assess, and remediate weak password configurations on Fortinet and other network devices.
  • Master the implementation of robust password policies, multi-factor authentication, and secure administrative access controls.
  • Develop an incident response plan for credential compromise scenarios.

You Should Know

  1. The Credential Crisis: Why “admin3:123456” Is a Security Catastrophe

The recent “FortiBleed” campaign serves as a case study in how poor credential hygiene can undermine even the most advanced security appliances. Attackers leveraged a combination of credential stuffing (using previously leaked credentials) and brute-force attacks against password hashes extracted from device configurations. In older FortiOS firmware versions, passwords were hashed using SHA256 with salt, which can be cracked significantly faster using tools like hashcat compared to the more secure PBKDF2 variant introduced from FortiOS 7.2.11 onward.

The scale of the problem is immense: of 320,000 Fortinet devices accessible via the internet, attackers successfully obtained login credentials for 73,932 appliances worldwide. This includes approximately 120 devices in Germany, with some belonging to major corporations and even telecommunications infrastructure.

Default credentials remain a primary vector. FortiGate firewalls ship with a default administrator account named admin with a blank password (except for cloud VMs). Other default accounts include “Administrator” with password “1234” and “Monitor” with password “5678”. The Tenable plugin for detecting default FortiOS credentials flags this as a critical vulnerability.

Step‑by‑Step Guide: Fortinet Credential Hardening

  1. Immediate Default Password Change: Upon initial login (via HTTPS at the default IP `https://192.168.1.99`), the system will prompt you to change the admin password. Do not skip this step. Use a strong, unique password of at least 15 characters containing uppercase, lowercase, numbers, and special characters.

  2. FortiGate CLI Password Reset: If you need to change the admin password via command line, connect via SSH or console and execute:

    config system admin
edit admin
set password [bash]
end

(Source: STIG rule FGFW-1D-000250)

3. Enforce Password Complexity (FortiOS 7.4.1+):

  • Navigate to System > Settings.
  • In the Password Policy section, set Password scope to Admin.
  • Configure minimum length, require uppercase/lowercase/numbers/special characters, and set password expiration (e.g., every 60 days).
  1. Disable Default and Unused Accounts: Audit all local administrator accounts. Delete any that are unnecessary. Rename the default “admin” account if possible to obscure it from automated attacks.

5. Restrict Administrative Access:

  • Limit management interface access to trusted IP addresses only.
  • Use dedicated management interfaces (out-of-band management) rather than exposing the GUI/SSH to the public internet.
  1. Beyond Defaults: The Danger of Weak and Reused Passwords

Even when default passwords are changed, the problem persists. Security researchers regularly find firewall management interfaces accessible with factory passwords or simple variations like “admin123” and “firewall2024”. In the FortiBleed campaign, attackers used a GPU cluster with 48 GPUs to crack password hashes. Once credentials are exfiltrated, weak passwords become trivial to crack offline.

The attack lifecycle is instructive:

  1. Initial Access: Attackers exploit an authentication bypass vulnerability (e.g., CVE-2024-55591, a zero-day in FortiOS/Proxy allowing super-admin access via crafted WebSocket requests) or simply guess weak credentials.
  2. Configuration Exfiltration: They export the device configuration, which contains password hashes and other sensitive data.
  3. Offline Cracking: Using tools like hashcat, they crack the hashes to obtain plaintext passwords.
  4. Lateral Movement: Compromised credentials are used to access other systems, enabling lateral movement and persistence.

Step‑by‑Step Guide: Password Audit and Remediation

  1. Audit Existing Passwords: Use tools like John the Ripper or hashcat (ethically) to test the strength of password hashes in your environment. Identify any passwords that are dictionary words, common patterns, or previously breached.

  2. Implement a Password Manager: Enforce the use of enterprise password managers to generate and store unique, complex passwords for every administrative account.

  3. Enforce MFA (Multi-Factor Authentication): FortiGate supports FortiToken for two-factor authentication. Mandate MFA for all administrative logins. This renders stolen credentials useless without the second factor.

  4. Monitor for Credential Stuffing: Implement rate-limiting on login attempts. Monitor logs for failed login attempts from unusual IP ranges, especially from known malicious hosting providers (e.g., The Constant Company LLC, BL Networks, Kaopu Cloud HK Limited were observed in recent attacks).

  5. Regular Credential Rotation: Automate password rotation for all administrative accounts every 30-60 days. Ensure new passwords are not incremental variations of old ones.

3. Patching vs. Configuration: Addressing the Real Risk

While vendors like Fortinet release patches for critical vulnerabilities (e.g., CVE-2025-59718 and CVE-2025-59719, both CVSS 9.8 flaws allowing SAML SSO authentication bypass), patching alone is insufficient. In the recent Fortinet exploits, active intrusions were observed via malicious SSO logins just two days after patches were released. Attackers move fast, and many organizations struggle to patch in time.

The core issue is that weak credentials remain exploitable regardless of patch status. Even if a device is fully patched, if the admin password is “123456,” the device is compromised.

Step‑by‑Step Guide: Comprehensive Security Hardening

  1. Prioritize Patching: Maintain an up-to-date asset inventory to quickly locate vulnerable devices. Upgrade to the latest FortiOS version. For CVE-2024-55591, upgrade to FortiOS 7.0.17 or above, or FortiProxy 7.2.13 or above.

  2. Disable Unnecessary Services: Turn off the FortiCloud SSO login feature if not required, as recommended by Fortinet.

  3. Network Segmentation: Place management interfaces behind a firewall (such as another FortiGate) to limit access attempts. Use VLANs to separate management traffic from user traffic.

  4. Enable Logging and Alerts: Configure syslog to forward logs to a SIEM. Set up alerts for:

– Failed login attempts (especially from external IPs).
– Configuration changes.
– Creation of new admin accounts.

  1. Regular Security Audits: Conduct periodic penetration tests focusing on firewall configurations. As noted in penetration testing reports, default or weak administrative credentials are among the top firewall misconfigurations found in every pentest.

4. Incident Response for Credential Compromise

When a compromise is suspected, speed is critical. Attackers who gain admin access can establish persistent backdoors, extract sensitive data, and move laterally into the corporate network.

Step‑by‑Step Guide: Incident Response for Compromised Firewall Credentials

  1. Immediate Isolation: If the device is publicly accessible and compromised, isolate it from the network while preserving forensic evidence.

  2. Reset All Credentials: As advised by security experts, treat exposed configurations as a full compromise and reset all associated credentials immediately. This includes:

– All local admin accounts on the FortiGate.
– All VPN user credentials.
– Any credentials for integrated services (e.g., LDAP, RADIUS).

  1. Check for Backdoors: Review the configuration for unauthorized admin accounts, SSH keys, or scheduled tasks.

  2. Analyze Logs: Review syslog and event logs for suspicious activity, including unusual login times, IP addresses, and configuration changes.

  3. Forensic Investigation: Determine the initial access vector (weak password vs. unpatched vulnerability) and the scope of the compromise. Check for any indicators of compromise on downstream networks.

  4. Update and Harden: After remediation, apply all security patches, enforce MFA, and implement the hardening steps outlined above before reconnecting the device.

5. Linux and Windows Commands for Credential Security

While FortiGate uses its own CLI, security administrators often work in hybrid environments. Below are useful commands for auditing and securing credentials on Linux and Windows systems that interface with network devices.

Linux Commands

  • Check for weak passwords in `/etc/shadow` (requires root): 
    sudo john /etc/shadow --wordlist=/usr/share/wordlists/rockyou.txt

    This uses John the Ripper to test password strength against a known wordlist.

  • Enforce password complexity (PAM):

Edit `/etc/pam.d/common-password` (Debian/Ubuntu) or `/etc/pam.d/system-auth` (RHEL/CentOS) to include:

password requisite pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
  • Audit SSH access: 
    sudo grep "Failed password" /var/log/auth.log

Windows Commands (PowerShell)

  • Check local admin accounts: 
    Get-LocalUser | Where-Object {$_.Enabled -eq $true}

  • Enforce password policy:

    secedit /export /cfg C:\secpol.cfg
Edit the file to set MinimumPasswordLength, PasswordComplexity, etc.
secedit /configure /db C:\Windows\security\local.sdb /cfg C:\secpol.cfg /areas SECURITYPOLICY

  • Audit failed logins:

    Get-EventLog -LogName Security -InstanceId 4625 | Select-Object TimeGenerated, Message

What Undercode Say

  • Key Takeaway 1: The vulnerability wasn’t in Fortinet’s code—it was in the operational practice of using credentials like “admin3:123456.” This highlights a fundamental truth: security is a human problem as much as a technical one. No patch can fix lazy password habits.
  • Key Takeaway 2: The scale of the FortiBleed campaign (74,000 compromised devices) demonstrates that attackers are highly organized and resourceful. They use massive GPU clusters to crack password hashes and exploit configuration exports to pivot into corporate networks.

Analysis: The reliance on default and weak credentials is a systemic issue across the industry, not unique to Fortinet. Firewalls, VPN gateways, and other edge devices are prime targets because they guard the perimeter. The rapid exploitation of vulnerabilities like CVE-2025-59718 within days of disclosure shows that attackers are faster than many organizations’ patch cycles. Therefore, defense-in-depth must include strong credential policies, MFA, and network segmentation as non-1egotiable baselines. The use of password managers is no longer optional but a critical control to prevent password reuse and enable complex passwords. Ultimately, the “admin3:123456” incident serves as a wake-up call: cybersecurity hygiene is the first and most important line of defense.

Prediction

  • +1 The increased awareness from campaigns like FortiBleed will accelerate the adoption of zero-trust architecture and passwordless authentication (e.g., FIDO2) in enterprise environments, reducing reliance on vulnerable passwords.
  • -1 However, the sheer volume of legacy devices and the inertia of organizational culture mean that weak credentials will remain a dominant attack vector for the foreseeable future. Expect more large-scale credential theft campaigns targeting other vendors (e.g., Palo Alto, Cisco) using similar techniques.
  • -1 Attackers will increasingly focus on configuration exfiltration and hash cracking as a primary means of establishing persistence, as demonstrated in this campaign. This will lead to a rise in “configuration theft” as a service on cybercrime forums.
  • +1 Regulatory bodies (e.g., CISA, GDPR authorities) will likely mandate stricter password policies and MFA for critical infrastructure, forcing compliance and improving baseline security.
  • -1 Despite these efforts, the human factor—users choosing “123456” over complex passwords—will continue to be the weakest link, requiring continuous security awareness training and technical enforcement.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Huzeyfe 2645 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: