NCSC urges action after Fortinet firewall and VPN credential leak

Fortinet users are urged to act quickly after the NCSC identified signs of potential compromise.
NCSC warns organisations after attacks targeted Fortinet firewalls and VPN gateways.

The UK National Cyber Security Centre has urged organisations using Fortinet services to investigate whether they have been affected by a global campaign targeting firewalls and VPN gateways.

The NCSC said Fortinet firewalls and VPN gateways have been targeted globally, with some indications of potential impact in the UK. A threat actor has leaked a database of credentials following brute-force, dictionary and credential stuffing attempts against internet-facing FortiGate and VPN portals.

UK organisations using Fortinet edge devices with SSL VPN enabled have been advised to check whether their domains may be affected and to investigate potentially malicious activity on their devices.

The NCSC said organisations should review logs for indicators of compromise, including unauthorised account creation and unexpected activity. Where evidence of compromise exists, affected devices should be isolated from the internet and internal networks.

The agency also warned that changing credentials alone may not be sufficient if attackers have gained persistence on a device. It recommends factory resetting compromised devices after collecting logs, configurations and other investigation artefacts.

Organisations are also advised to investigate other edge devices that share credentials with compromised systems and to monitor reachable devices for signs of onward compromise.

The NCSC said organisations should harden recommissioned systems by ensuring management interfaces are not exposed to the internet, updating to the latest version, removing unsupported systems, changing default or reused administrator passwords and enforcing multi-factor authentication on VPN and device management logins.

Why does it matter?

The alert highlights how stolen or reused credentials can compromise perimeter security infrastructure. Firewalls and VPN gateways are high-value targets because a successful compromise can give attackers a route into internal networks. The NCSC guidance also shows why basic cyber hygiene matters: exposed management interfaces, reused passwords, unsupported systems and missing multi-factor authentication can turn credential leaks into wider network compromise.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.