FortiBleed traffic sniffing widens contractor cleanup work
A password reset is the easy part when the edge device may have watched the traffic passing through it.
TL;DR
Risky Business News reports that the FortiBleed hacks involved heavy traffic sniffing and were worse than a simple credentials leak. Contractors and suppliers running Fortinet gear at the edge now face a broader incident-response question: what moved through the appliance during the exposure window. Password rotation still matters. It does not answer what the attacker may have observed in transit.
Risky Business News' useful point is that FortiBleed should not be triaged as a mere credential event. The outlet says the hacks involved extensive traffic sniffing, which moves the response from rotating what the Fortinet device stored to determining what crossed the device while the attacker had access. For contractors, managed service providers and suppliers using Fortinet at the edge, that is a supply-chain exposure question.
CISA's earlier Fortinet guidance shows the baseline cleanup administrators already know. In April, CISA said a malicious file tied to previously exploited Fortinet vulnerabilities could enable read-only access to files on FortiGate devices, including configurations, and told administrators to upgrade, review in-scope device configurations and reset potentially exposed credentials: https://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities. That is a configuration-and-secret problem with a familiar playbook.
Sniffed traffic creates a wider evidence problem. The Monday work is to preserve logs, establish the exposure window, identify which business relationships and protected environments traversed the appliance, and document where the record is incomplete. Treating this as a firewall hygiene issue would understate the report's core claim: the appliance may have been an observation point, not only a place where credentials were stolen.
Published ·Deep Fathom