CISA Alert Flags 86,644 Exposed FortiGate Devices via Legacy SHA-256 Hashes and Credential Stuffing

The campaign scanned for remote login endpoints and replayed verified Fortinet credential pairs harvested from prior breaches. Once inside, actors passively collected additional plaintext credentials traversing the devices, creating a self-reinforcing loop. SOCRadar telemetry shows 63.3 percent of stolen accounts were either default or built-in Fortinet system accounts, confirming organizations failed to rotate factory credentials before exposure. Procurement records and FortiOS release notes reveal the core flaw: PBKDF2 hashing introduced in 7.2.11, 7.4.8 and 7.6.1 leaves existing SHA-256 administrator hashes untouched until each admin logs in post-upgrade. Arctic Wolf and Hudson Rock datasets confirm the same pattern across telecom, government and education sectors in India, the US and Mexico, indicating systemic configuration debt rather than novel zero-day exploitation. Official statements separate the technical evidence—mass scanning plus dictionary attacks on legacy hashes—from attribution claims naming Russian-speaking actors; no packet or infrastructure artifacts independently confirm state direction. Fortinet’s assertion that the data is merely reshared prior incidents conflicts with CISA’s active-session termination guidance, exposing a gap between vendor minimization and observed ongoing traffic collection. Operational impact centers on edge devices as persistent credential oracles for lateral movement. Next indicators to watch are spikes in FortiGate configuration file leaks on underground markets and whether NCSC or CISA issue sector-specific mandates for immediate hash rotation within 30 days.