Is your dealership or job-site VPN exposed by FortiBleed?
FortiBleed leaked working admin and VPN logins for tens of thousands of Fortinet FortiGate firewalls. If your Pacific Northwest dealership or construction office reaches staff over a Fortinet or Sophos VPN, you could be one reused password away from a breach. We will check, for free, and hand you a fix list. No pitch.
What happened
Security researchers found that attackers pulled configuration files off internet-facing FortiGate devices and cracked the stored password hashes. The result, reported by CISA and multiple security firms in June 2026, is valid administrator and SSL VPN credentials for roughly 74,000 firewalls across 194 countries (Recorded Future counted 73,932), now circulating and being reused. CISA issued a hardening alert on June 18, 2026. The same crews are brute-forcing Sophos firewalls that have no multi-factor authentication. Sophos confirmed there is no new flaw on their side. The weak spot is exposed appliances and reused passwords, not a single product bug.
Why dealerships and contractors are in the blast radius
Both run on remote access, which is exactly what this campaign abuses. A dealership has staff reaching the DMS, the F and I tools, and accounting across more than one rooftop. A construction firm has project managers and field crews logging in from trailers and job-site offices. That access usually rides a VPN, and a VPN with a leaked admin password is an open door. The firms most at risk are the ones that cannot say, on the spot, how many firewalls they run and who can log into each one.
The five-point exposure check
- Inventory every firewall. Make and model at every location, not just the main office.
- Confirm the FortiOS version. The fixed builds are 7.2.11, 7.4.8, and 7.6.1 or later.
- Rotate admin credentials. Forcing a reset rewrites the stored hashes in the stronger format.
- Turn on MFA everywhere. Every remote-access and admin account, on both Fortinet and Sophos.
- Close the management interface. The firewall admin page should not be reachable from the open internet.
FortiBleed questions we are hearing
Am I affected if I patched last year?
Possibly. The leaked credentials came from older configuration files, so a current patch does not undo a password that already escaped. Reset admin and VPN passwords and confirm MFA regardless of patch date.
We use Sophos, not Fortinet. Are we safe?
Not automatically. The same actors are brute-forcing Sophos VPN logins that lack multi-factor authentication. If MFA is off on any remote-access account, you are a target.
How fast does this need to happen?
This week. CISA treated it as urgent on June 18, 2026, and credential reuse starts within days of a leak, not months.
Get your free FortiBleed exposure check
Tell us where to look. We walk your firewall inventory, flag the exposed and no-MFA accounts, and hand you a prioritized fix list. A real person reviews it. If you already have a capable IT team, we will tell you they have it handled.
Prefer to talk first? Call (425) 648-5250 or email hello@craftworkgrp.com.