The Ministry of National Security, acting on advice from the National Cybersecurity Unit (NCU), is issuing this alert to all organisations and individuals in Bermuda that operate Fortinet firewall or VPN devices.

A global credential compromise campaign, widely referred to as “FortiBleed”, is actively targeting these devices. Organisations that have not taken protective action are at risk of unauthorised access to their networks.

The Acting Minister of National Security, the Hon. Jaché Adams, JP, MP, said: “The security of Bermuda’s digital infrastructure is a matter of national importance.

“This campaign is not a theoretical risk. It is an active threat that has already compromised tens of thousands of devices globally. I urge every organisation in Bermuda operating Fortinet equipment to treat this as a priority and act on the guidance provided today without delay.”

FortiBleed is a large-scale credential harvesting campaign targeting Fortinet FortiGate firewalls and SSL VPN gateways exposed to the internet. Security researchers estimate that between 74,000 and 86,000 devices have been affected globally.

Attackers are exploiting previously compromised credentials, password reuse, and automated brute-force tools to gain unauthorised access.

Fortinet has confirmed that this is not a new software vulnerability. The activity stems from weak password practices, absent multi-factor authentication, and legacy password storage methods that persist on some devices even after firmware updates.

Once inside a device, attackers can intercept network traffic, create backdoor accounts, modify configurations, and move laterally into connected systems, including Active Directory environments.

The U.S. Cybersecurity and Infrastructure Security Agency and Fortinet’s own Product Security Incident Response Team have both issued formal guidance urging immediate action.

Any organisation or individual in Bermuda operating a Fortinet FortiGate firewall or SSL VPN gateway, whether in the public sector, private sector, financial services, telecommunications, healthcare, or any other sector, should treat this alert as directly relevant and act immediately.

Fortinet is proactively contacting customers whose devices have been identified as potentially compromised.

Organisations that have not received direct notification should not assume their devices are unaffected. All Fortinet device operators are advised to take the following precautionary steps.

The NCU strongly advises all Fortinet device operators in Bermuda to carry out the following steps immediately:

• Terminate all active sessions.
• Reset all credentials.
• Upgrade to a supported firmware version.
• Enable Multi-Factor Authentication.
• Audit your configuration.
• Review logs for signs of compromise.
• Restrict management access.

If indicators of compromise are identified, including unrecognised accounts, unauthorised configuration changes or suspicious authentication activity, the affected device should be treated as compromised. Operators should not rely solely on resetting credentials before resuming operations.

Organisations are urged to follow Fortinet’s incident recovery process, isolate the device from their network, and assess the extent of any lateral movement into connected systems.

Fortinet’s FortiGuard Incident Response team is available to assist affected organisations directly. Contact details are available through the Fortinet resources listed below.

Affected parties in Bermuda requiring guidance or wishing to report a suspected incident should contact the NCU at cybersecurity@gov.bm.

Full technical guidance, including Fortinet’s PSIRT analysis and step-by-step hardening instructions, is available from Fortinet at fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices.

Organisations that require direct incident investigation support from Fortinet may request a scoping call through the FortiGuard Incident Response service at fortinet.com/corporate/about-us/contact-us/experienced-a-breach.