Cydome says maritime, ports and energy companies were among organisations whose Fortinet firewall passwords and logins were exposed in the recent “FortiBleed” incident.
According to the company’s threat-intelligence unit, the incident involved more than 86,000 administrator credentials linked to Fortinet firewalls and other devices across thousands of organisations in 194 countries. Cydome said the access could allow attackers to compromise target networks and data.
Cydome also reported that the leak, which it estimated represents 50% of all internet-reachable FortiGate devices, included 703 satellite-linked IP addresses associated with maritime satcom service providers.
Of more than 250 maritime firms that Cydome said were impacted, most were shipowner and ship management companies. Cydome founder and CEO Nir Ayalon said this was “consistent with FortiBleed hitting the operational core of maritime trade, not just back-office IT”.
“Although we are still monitoring the extent of FortiBleed on the industry, of all maritime-related logins leaked, 41.5% were shipping and freight companies, 31.2% were offshore contractors and service companies, 10.7% newbuild and repair yards, and 6.7% were Port Authorities and logistics firms.
“The team found that 87% of Fortinet devices exposed to the internet still had internet-facing management interfaces available, while 63% of harvested credentials related to default or built-in administrator accounts that had never been renamed.
“This suggests that many organisations have not yet taken the steps needed to fully secure affected systems… probably because they don’t know they have been hacked, yet!” said Ayalon.
Cydome said FortiBleed differs from many cyber incidents because it does not rely on a newly discovered software vulnerability. Instead, it said attackers used older administrator credentials that remained vulnerable after software upgrades.
In many cases, Cydome said organisations updated systems but did not fully replace and discard legacy passwords, allowing attackers to recover valid credentials and test them against live devices, even after a Fortinet software patch.
Cydome co-founder and VP R&D Alon Ayalon said the incident had already prompted action from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
“We urge organisations to follow the CISA guidance and terminate active administrator and VPN sessions, reset passwords, enable multi-factor authentication and investigate systems for signs of unauthorised access.”
He said appearing in the FortiBleed dataset “does not necessarily mean an organisation is compromised”, but indicated credentials linked to network security infrastructure had been exposed and should be treated as a potential vulnerability.
“Shipping is one of the world’s most connected industries, and that connectivity is essential for efficient operations,” he said.
“If attackers obtain trusted administrator access, they can move through networks unnoticed, gain control over operational systems or sell the information to ransomware groups and other cybercriminals. Protecting digital identities is just as important as protecting the IT and OT systems themselves.”
Cydome said maritime companies can check whether their domain or IP address is included in the dataset using a tool at fortibleedcheck.cydome.io.

