Cydome reports FortiBleed credential leak poses elevated risks to maritime and energy critical infrastructure
Key Facts
- On a vessel without clean IT and OT separation, that same path can reach bridge systems, cargo management, and VSAT links.” Fortinet officially characterizes the incident as a resharing of data from previous breaches combined with aggressive brute-forcing, rather than a new exploit, and as such does not (or cannot) issue an updated FortiOS version to close it, and it does not receive a formal CVE number as it’s not considered a vulnerability.
- According to maritime cybersecurity firm Cydome, attackers obtained unauthorized administrative access to Fortinet devices by exploiting legacy password hashes stored in configuration files, exposing more than 86,000 confirmed working credentials across 194 countries.
- However, it seems that many devices remain exposed to FortiBleed, as the Cydome team found that, in a random sample of the dataset, 87% of connected Fortinet devices had interfaces open, suggesting they were not yet patched or secured.
- When it comes to distribution type, Cydome data shows that shipping and freight accounts for the largest share at 41.5%, followed by marine and offshore services at 31.2%.
- Smaller segments include maritime finance and investment at 2.0%, passenger shipping and ferries at 1.6%, and government/Navy at 0.4%.
- The hackers tried known, commonly used, or breached credentials – whichever way worked faster.” It added that once attackers gained access to the device, they were able to silently map the network, identify connected assets, and move laterally across the environment.
- Shipyards, shipbuilding and related organizations represent 10.7%, while ports and maritime logistics account for 6.7%, and fisheries and aquaculture make up 5.9%.
- The company said attackers used compromised FortiGate devices to map networks, harvest additional credentials, and potentially pivot into systems such as Active Directory, while vessels lacking strict IT/OT separation could face risks extending to bridge systems, cargo management platforms, and VSAT communications.
- A newly disclosed cyber campaign dubbed FortiBleed allegedly exposed administrator credentials for tens of thousands of internet-facing Fortinet firewalls, with maritime organizations emerging among the hardest-hit sectors.
- “In the past, they used a weak algorithm that could have been cracked using brute force with modern GPUs quite quickly.
On a vessel without clean IT and OT separation, that same path can reach bridge systems, cargo management, and VSAT links.” Fortinet officially characterizes the incident as a resharing of data from previous breaches combined with aggressive brute-forcing, rather than a new exploit, and as such does not (or cannot) issue an updated FortiOS version to close it, and it does not receive a formal CVE number as it’s not considered a vulnerability. According to maritime cybersecurity firm Cydome, attackers obtained unauthorized administrative access to Fortinet devices by exploiting legacy password hashes stored in configuration files, exposing more than 86,000 confirmed working credentials across 194 countries.
The OT Risk
However, it seems that many devices remain exposed to FortiBleed, as the Cydome team found that, in a random sample of the dataset, 87% of connected Fortinet devices had interfaces open, suggesting they were not yet patched or secured.
Further details indicate that when it comes to distribution type, Cydome data shows that shipping and freight accounts for the largest share at 41.5%, followed by marine and offshore services at 31.2%.
Smaller segments include maritime finance and investment at 2.0%, passenger shipping and ferries at 1.6%, and government/Navy at 0.4%.
The hackers tried known, commonly used, or breached credentials, whichever way worked faster.” It added that once attackers gained access to the device, they were able to silently map the network, identify connected assets, and move laterally across the environment.
Operational Impact
A newly disclosed cyber campaign dubbed FortiBleed allegedly exposed administrator credentials for tens of thousands of internet-facing Fortinet firewalls, with maritime organizations emerging among the hardest-hit sectors. Cydome’s analysis identified more than 250 maritime and energy organizations in the leaked dataset, including shipping companies, ports, and satellite communications providers that support maritime operations. Additionally, Cydome urged organizations to rotate all Fortinet administrative credentials, enable multifactor authentication, remove internet exposure from management interfaces where possible, and ensure administrators log in after upgrading FortiOS to eliminate legacy password hashes.
Shipyards, shipbuilding and related organizations represent 10.7%, while ports and maritime logistics account for 6.7%, and fisheries and aquaculture make up 5.9%.
The company said attackers used compromised FortiGate devices to map networks, harvest additional credentials, and potentially pivot into systems such as Active Directory, while vessels lacking strict IT/OT separation could face risks extending to bridge systems, cargo management platforms, and VSAT communications.
A newly disclosed cyber campaign dubbed FortiBleed allegedly exposed administrator credentials for tens of thousands of internet-facing Fortinet firewalls, with maritime organizations emerging among the hardest-hit sectors.
Mitigation for OT
-
Fortinet later upgraded their algorithm from the end of 2024 to mid-2025, but the old hash file was not deleted, and FortiBleed hackers leveraged this legacy file to try and brute-force their way in.
-
However, it seems that many devices remain exposed to FortiBleed, as the Cydome team found that, in a random sample of the dataset, 87% of connected Fortinet devices had interfaces open, suggesting they were not yet patched or secured.
Analysis
Organizations should review their exposure and apply available mitigations promptly.
Sources
Sources & References
- Source referenced in coverage https://industrialcyber.co/utilities-energy-power-water-waste/cydome-reports-fortibleed-credential-leak-poses-elevated-risks-to-maritime-and-energy-critical-infrastructure/
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Critical Fortinet Auth Bypass: Exploit Available
A critical authentication bypass flaw affecting Fortinet's FortiOS, FortiProxy, and FortiSwitchManager appliances now has proof-of-concept exploit code available. Attackers can get around the authe...
Cloud SecurityCloud WAAP Magic Quadrant: Leaders & Trends
The market for protecting cloud web applications and APIs is expanding quickly. You can use this Magic Quadrant to find cloud WAAP providers that provide simple controls and specialised defences ag...
Cloud SecurityGartner Peer Insights: WAAP Voice of Customer
What is API and Web Application Protection? Web application and API protection (WAAP), according to Gartner, is the evolution of the web application firewall (WAF) market, which now includes four c...
Vulnerabilities & ExploitsHitachi Energy e-mesh EMS Vulnerability (CVE-2026-42945)
The following versions of Hitachi Energy e-mesh EMS are affected: - Hitachi Energy e-mesh EMS 4.1.6, 4.4.2, 4.7.0 Background - Critical Infrastructure...