Hackers are using FortiBleed to break into business networks - CSA explains the threat

• Cyber Security Authority has issued an urgent alert over FortiBleed, a global cybercrime campaign targeting Fortinet firewalls and VPN systems.

• The attack does not use a new software vulnerability but instead exploits weak, reused passwords and the lack of multi-factor authentication (MFA).

• CSA is urging organisations to immediately rotate credentials, enable MFA, monitor logs, and tighten access controls to prevent breaches.

The Cyber Security Authority (CSA) has issued an urgent warning to businesses and institutions over a growing global cybercrime campaign known as “FortiBleed,” which is targeting Fortinet firewalls and VPN systems used to secure company networks.

READ ALSO: US issues strong warning to fraudsters worldwide — ‘Your days of freedom are numbered’

The authority says the attack is not exploiting a new software flaw but is instead taking advantage of a common human weakness and poor password habits.

In a technical advisory issued on June 19, the CSA warned that hackers are gaining access to protected systems by using stolen passwords, recycled credentials and weak login security.

Fortinet devices are widely used by banks, telecom companies, hospitals, schools and government institutions to protect internal networks and enable secure remote access for staff.

Simply, firewalls and VPN gateways act like security gates to an organisation’s digital systems. If hackers gain access through those gates, they can potentially monitor network activity, steal sensitive information, or move deeper into internal systems.

READ ALSO: Ghana Police can recover your deleted messages and trace digital evidence, here's how

According to the CSA, the attackers are using automated tools to scan internet-facing Fortinet devices and compare them against huge databases of usernames and passwords leaked from past data breaches.

This method, known as password spraying or credential stuffing, allows criminals to test thousands of stolen login combinations until they find one that works.

The CSA stressed that the campaign does not depend on breaking the software itself.

That means organisations using the same passwords across multiple systems or failing to enable extra login protection are especially vulnerable.

Once hackers get in, the damage can spread quickly.

The CSA warned that attackers may use compromised devices to monitor traffic, capture login details and maintain long-term access to company systems.

The CSA says organisations may face higher risk if:

• Administrative or VPN portals are publicly accessible

• Passwords are weak or reused

• Multi-factor authentication is not enabled

• Admin access is not restricted to trusted locations

READ ALSO: Ghana warns extradition of suspected criminals will not be one-sided to Western Countries

To detect possible compromise, the authority is urging IT teams to review logs for suspicious activity.

Warning signs include unusual login times, repeated failed login attempts followed by successful access, unknown administrator accounts, unexpected firewall configuration changes, and strange VPN sessions.

To reduce risk, the authority is recommending immediate security steps.

These include rotating all admin and VPN passwords, enforcing strong unique passwords, and activating multi-factor authentication.

The CSA also urged organisations to restrict access to admin interfaces, disable unnecessary services, monitor network logs continuously, and keep all Fortinet devices updated with the latest firmware.