Threats
SHARE
Facebook X Pinterest WhatsApp

Hackers Leak 87,000 Fortinet VPN Passwords

In the latest lesson about the importance of patching, the credentials for 87,000 Fortinet FortiGate VPNs have been posted on a dark web forum by hackers. Fortinet confirmed the veracity of the hackers’ claims in a blog post today. The network security vendor said the credentials were stolen from systems that remain unpatched against a […]

Written By
thumbnail Paul Shread
Paul Shread
Sep 9, 2021
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

In the latest lesson about the importance of patching, the credentials for 87,000 Fortinet FortiGate VPNs have been posted on a dark web forum by hackers.

Fortinet confirmed the veracity of the hackers’ claims in a blog post today. The network security vendor said the credentials were stolen from systems that remain unpatched against a two-year-old vulnerability – CVE-2018-13379 – or from users who patched that vulnerability but failed to change passwords.

Fortinet said it’s warned customers several times to update affected devices and reset passwords – and the vulnerability was even recently named one of the most exploited by the FBI and CISA. Some of the compromised IP addresses were posted to Github so users can check to see if their VPNs were affected.

In an advisory, Fortinet said the path traversal vulnerability in the FortiOS SSL VPN web portal may allow an attacker to download FortiOS system files through specially crafted HTTP resource requests.

Affected products include FortiOS 6.0 – 6.0.0 to 6.0.4; FortiOS 5.6 – 5.6.3 to 5.6.7; and FortiOS 5.4 – 5.4.6 to 5.4.12; if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Affected users should disable all VPNs (SSL-VPN or IPSEC) before taking the following remediation steps:

  •  Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
  • Treat all credentials as potentially compromised and perform an organization-wide password reset.
  • Implement multi-factor authentication, “which will help mitigate the abuse of any compromised credentials now and in the future,” Fortinet said.

Fortinet added that users should be informed of the issue in case they have reused passwords in other applications.

Unpatched known vulnerabilities were found to be responsible for 60% of breaches in a 2019 Ponemon-ServiceNow study, yet patching remains one of the simplest – and most neglected – cybersecurity controls.

Further reading:

Best Patch Management Software & Tools

Passwordless Authentication 101

How to Defend Common IT Security Vulnerabilities

thumbnail Paul Shread

Former eSecurityPlanet editor Paul Shread has covered nearly every aspect of enterprise technology in his 20+ years in IT journalism, including award-winning articles on endpoint security and virtual data centers. He holds market analyst and cybersecurity certifications.

Recommended for you...

thumbnail Your Smart Devices Just Fueled a Record-Breaking DDoS Attack
Threats
Your Smart Devices Just Fueled a Record-Breaking DDoS Attack
eSecurityPlanet Staff
Sep 11, 2025
thumbnail Palo Alto Exposes Passwords in Plain Text
Threats
Palo Alto Exposes Passwords in Plain Text
Ken Underhill
Sep 11, 2025
thumbnail 1.6 Million Voices Stolen: Your Voice Could Be Next
Threats
1.6 Million Voices Stolen: Your Voice Could Be Next
eSecurityPlanet Staff
Sep 10, 2025
thumbnail SQL Injection Prevention: 6 Ways to Protect Your Stack
Threats
SQL Injection Prevention: 6 Ways to Protect Your Stack
Matt Gonzales
Jul 9, 2025
eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

facebook
linkedin
x

Company

About us Contact us Advertise with us

Categories

Best Products Networks Cloud Threats Trends Endpoint Applications Compliance

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information