Australia’s cybersecurity authority has issued an urgent warning over the FortiBleed campaign targeting Fortinet firewalls and VPN gateways. The exposure it creates – correlated, vendor-concentrated, and unresolvable by patch – has direct implications for accumulation risk, underwriting, and the mandatory reporting obligations that now apply to ransomware payments.
The ASD’s Australian Cyber Security Centre (ACSC) issued an alert on June 22, 2026, warning all Australian organisations using Fortinet Firewall or VPN services of an active malicious campaign targeting their devices. The campaign – referred to as FortiBleed – exploits exposed credentials and brute-force techniques to gain remote access to affected devices and the networks behind them, and to alter security controls and other settings.
Fortinet had published its own analysis three days earlier, attributing the activity to threat actors recycling credentials from two prior incidents and targeting devices running weak passwords without multi-factor authentication (MFA) enabled. FortiBleed is not a zero-day – there is no patch that closes this exposure, which makes it a different category of risk from a conventional vulnerability. Fortinet was unambiguous: “This is not a new Fortinet vulnerability, and this activity is not related to any recent incident or advisory.”
Fortinet’s FortiGate product line accounts for more than 50% of global network firewall unit shipments, according to Fortinet’s own investor disclosures citing 650 Group data. By mid-June 2026, confirmed credentials from approximately 86,644 devices across 194 countries had been harvested – roughly half of all internet-facing Fortinet firewalls globally. The devices are embedded across Australian corporate, government, healthcare, and critical infrastructure environments.
That concentration creates a specific problem for insurers. A single credential-based campaign, targeting one vendor’s install base, can affect a significant and correlated slice of an insurer’s cyber book simultaneously – with no vulnerability or patch to anchor or bound the exposure. Unlike a CVE-based attack, there is nothing to remediate at the perimeter that stops the campaign in its tracks. FortiBleed illustrates the risk of concentrated single-vendor infrastructure at scale: geographically dispersed, sector-agnostic, and affecting organisations that may have no awareness of their exposure until a downstream incident occurs.
A FortiBleed intrusion that goes undetected does not stay contained. The ASD’s ‘Annual Cyber Threat Report 2024-25, released in October 2025, documented that compromised credentials were the most common means of gaining initial access in incidents where data was subsequently encrypted, featuring in 42% of all serious cyber incidents in FY2024-25 – up from 23% the prior year. The ACSC also sent 9,587 credential exposure notifications to approximately 220 organisations between November 2024 and June 2025 under its Cyber Hygiene Improvement Programs (CHIPs), pointing to the scale at which Australian organisations are already operating with exposed credentials in circulation.
The documented pattern runs from initial credential access through lateral movement into internal networks to ransomware deployment. Once ransomware is deployed, the regulatory clock starts. Under the Cyber Security Act 2024, businesses with annual turnover of $3 million or more must notify the ASD within 72 hours of any ransomware or cyber extortion payment, with civil penalties of up to $19,800 for non-compliance. The Department of Home Affairs moved from an education-first posture to active enforcement from January 1, 2026.
That sequence – credential compromise, lateral movement, ransomware, mandatory reporting, insurer notification – is the full commercial logic of FortiBleed for anyone managing a cyber book. Clients with unpatched Fortinet devices, no MFA on VPN or administrative accounts, or incomplete remediation from earlier Fortinet advisories are sitting at the start of that chain at present.
Based on observed market practice rather than any single insurer’s stated position, MFA on VPN and administrative accounts is now treated as a near-universal baseline underwriting requirement in the Australian cyber insurance market, with most insurers declining cover or applying ransomware sub-limits where it is not enforced. FortiBleed maps directly to that standard: Fortinet’s own analysis confirmed the campaign specifically targets devices with no MFA in place. Organisations that cannot demonstrate enforced MFA – not simply deployed MFA – on Fortinet VPN and administrative interfaces face both an active threat and a potential coverage gap at claim time.
Organisations running Fortinet devices should rotate all administrator and VPN credentials immediately, enforce MFA across all external interfaces and administrator accounts, and upgrade to FortiOS 7.4, 7.6, or 8.0, which support stronger PBKDF2 password hashing. Fortinet has also directed customers to review device configurations against a known-good baseline and check logs for signs of unauthorised access or lateral movement.
Affected Australian organisations can contact the ASD’s ACSC on 1300 CYBER1 (1300 292 371). Fortinet confirmed its investigation and mitigation work is continuing. FortiBleed is a reminder that the most consequential cyber exposures on a book are often not the ones with a CVE number attached – they are the ones where the door was left open long before the campaign began.
