The global maritime, ports, and energy sectors are facing heightened cybersecurity concerns following revelations from Cydome’s threat intelligence unit regarding a major data exposure linked to Fortinet firewall credentials. The incident, referred to as “FortiBleed,” has raised serious concerns over the security of critical infrastructure networks across the maritime industry and beyond.
Maritime Security Breach
At the center of the incident, major maritime, ports and energy companies have been identified by Cydome’s threat-intelligence unit as having Fortinet Firewall passwords and logins leaked in the recent “FortiBleed” incident.
More than 86,000 Administrator credentials of Fortinet Firewalls and other devices protecting the networks of thousands of organisations across 194 countries were breached, with hackers gaining unauthorised access to the Fortinet devices and enabling them to further compromise the target networks and data.
In addition, Cydome research shows that the leak, which is estimated to represent 50% of all internet-reachable FortiGate devices, also included 703 satellite-linked IP addresses associated with maritime satcom service providers.
Of the 250+ maritime firms found to be impacted by the incident, most were shipowner/management companies, with Cydome founder and CEO Nir Ayalon noting that this is “consistent with FortiBleed hitting the operational core of maritime trade, not just back-office IT.”
Exposure Scale Findings
Expanding on the scope of the breach, Cydome provided detailed findings on how the exposure was distributed across maritime sectors.
“Although we are still monitoring the extent of FortiBleed on the industry, of all maritime-related logins leaked, 41.5% were shipping and freight companies, 31.2% were offshore contractors and service companies, 10.7% newbuild and repair yards, and 6.7% were Port Authorities and logistics firms,” said Nir Ayalon.
He added that “The team found that 87% of Fortinet devices exposed to the internet still had internet-facing management interfaces available, while 63% of harvested credentials related to default or built-in administrator accounts that had never been renamed.”
Ayalon further stated that “This suggests that many organisations have not yet taken the steps needed to fully secure affected systems… probably because they don’t know they have been hacked, yet!”
Cyber Risk Advisory
Building on these findings, Cydome and industry experts emphasized that FortiBleed represents a structural credential exposure rather than a conventional software vulnerability.
FortiBleed differs from many cyber incidents because it is not based on a newly discovered software vulnerability. Instead, it exploits older administrator credentials that remained vulnerable after software upgrades.
In many cases, organisations updated their systems but did not take all the necessary steps to fully replace and discard legacy passwords, allowing attackers to recover valid credentials and test them against live devices - even after the Fortinet software patch.
Commenting on the seriousness of the incident, Cydome co-founder and VP R&D Alon Ayalon said it has already prompted action from the U.S. Cybersecurity and Infrastructure Security Agency (CISA): “We urge organisations to follow the CISA guidance and terminate active administrator and VPN sessions, reset passwords, enable multi-factor authentication and investigate systems for signs of unauthorised access.”
He further noted that appearing in the FortiBleed dataset does not necessarily mean an organisation is compromised. “But it does indicate that credentials associated with its network security infrastructure have been exposed and should be treated as a potential vulnerability,” he said.
He also added: “Shipping is one of the world’s most connected industries, and that connectivity is essential for efficient operations.”
Finally, he warned: “If attackers obtain trusted administrator access, they can move through networks unnoticed, gain control over operational systems or sell the information to ransomware groups and other cybercriminals. Protecting digital identities is just as important as protecting the IT and OT systems themselves.”
Robban Assafina is now on WhatsApp channel. Click Here







