The Australian Cyber Security Centre issued Critical Alert: Act Now advisories on 18 and 22 June 2026 over widespread credential attacks against Fortinet firewalls and VPN gateways known as FortiBleed. Updated 23 June 2026.

Reporting from Cyber Daily notes the ACSC responded after public analysis of mass credential harvesting against internet-facing FortiGate devices. Fortinet published a 19 June situational analysis urging immediate credential resets and hardening.

Australian small businesses using Fortinet appliances for remote access should treat this as an active operational incident, not a routine patch Tuesday item.

What FortiBleed involves

FortiBleed describes large-scale credential compromise activity targeting FortiGate firewalls and SSL VPN gateways exposed to the internet. Researchers reported tens of thousands of affected devices globally, with Australia among impacted jurisdictions.

Fortinet states the campaign reuses credentials from earlier incidents and brute-force activity against weak passwords without MFA, not a brand-new product vulnerability at disclosure time. That distinction matters for remediation: rotating credentials and enabling MFA is mandatory even if you already patched past advisories.

What ACSC told Australian organisations

The ACSC critical alerts instruct network owners to review Fortinet guidance, terminate suspicious sessions, rotate administrative and VPN passwords, enforce phishing-resistant MFA, and restrict management interfaces from the public internet.

Organisations should monitor for unauthorised VPN users, unexpected password resets, and signs of lateral movement into Active Directory if LDAP integration is enabled.

Who is affected

Any business running internet-accessible FortiGate or WHM-managed infrastructure may be in scope. Managed service providers hosting multiple tenants face amplified blast radius if one compromised admin account spans clients.

Retail, professional services, and regional medical clinics often rely on Fortinet VPN for hybrid work. Those environments frequently lack dedicated security staff to watch ACSC alerts daily.

Find local IT help via our computer repair directory if you need hands-on assistance validating devices.

Immediate actions for SMBs

Rotate all Fortinet admin and VPN credentials today. Enable MFA on every administrative account. Confirm firmware supports PBKDF2 credential hashing per Fortinet guidance and upgrade if not.

Block management ports from the open internet where possible. Review logs back to at least March 2026 for anomalous VPN logins cited in industry reporting.

Read our companion post on Fortinet credential rotation for SMBs for step order.

If you suspect compromise

Fortinet advises treating affected devices as compromised: isolate, factory reset following vendor recovery procedures, and rebuild configurations from known-good backups. Assume AD service accounts linked to FortiGate are untrusted until audited.

Why June 2026 timing matters

ACSC reissued its alert on 22 June after Fortinet updated public guidance. Delayed response widens the window for data theft or ransomware staging inside trusted networks.

Subscribe to cyber.gov.au alerts and assign an owner to read Critical Alert ratings within hours, not weeks.

Managed service providers and shared responsibility

Many Australian SMBs rely on MSPs to patch firewalls they never log into directly. FortiBleed response still needs a named internal owner who confirms rotation happened on their tenant, not only on the provider’s word. Ask for written evidence: session logs cleared, MFA enabled per admin, management interfaces restricted, and firmware build numbers matching Fortinet guidance.

Questions to ask your IT provider today

Request the date credentials were rotated, whether VPN users were forced to re-enrol MFA, and whether any suspicious sessions appeared since March 2026. If your MSP manages multiple clients from one FortiGate, ask whether your instance shares admin paths with other tenants. Shared tooling accelerates work but can amplify blast radius when one password reuse chain breaks.

Our directory lists SMB-focused technicians who can validate FortiGate exposure if your provider is overloaded during alert weeks.

Logging and monitoring without a SOC

You do not need a 24/7 security operations centre to catch obvious compromise. Export VPN login logs weekly during alert periods. Look for new countries, impossible travel, midnight admin logins, and password reset events nobody on staff recognises. Forward FortiGate logs to a SIEM if you have one; if not, manual review beats hoping attackers stay quiet.

Pair technical checks with staff awareness. Finance teams should know ACSC never cold-calls demanding remote access while IT works through FortiBleed remediation.

Board and owner accountability

Directors who do not understand VPN exposure still own breach consequences. Ask IT for a one-page FortiBleed status memo: exposure yes or no, rotation completed, MFA status, next review date. Store it with cyber insurance documents for EOFY governance packs.

Frequently Asked Questions