Fortinet's CVE-2018-13379 was patched in May 2019 and issued a CISA emergency directive in November 2020. The FortiBleed campaign, disclosed this week, used custom memory-parsing scripts to extract plaintext credentials from VPN session buffers on devices still running pre-patch firmware in 2024 and 2025 -- meaning the operational window between published fix and actual remediation across thousands of enterprise edge devices ran to between four and six years. The credential corpus now in circulation covers FortiGate appliances at financial institutions, critical infrastructure operators, and government networks across APAC, North America, and Europe, per the BleepingComputer disclosure. Fortinet's advisory framed the campaign as the work of a state-affiliated group exploiting a "known vulnerability." The sniffer scripts extracted credentials from live session memory. Those are different stories.
The practical consequence for FSI CISOs in the region is not the breach itself but the inventory problem it exposes: MAS TRM Guideline 11.2 requires that financial institutions maintain a current asset register with patch status, and HKMA's Supervisory Policy Manual CR-G-14 sets a similar expectation, yet the FortiBleed victim list -- which BleepingComputer reports includes institutions in at least a dozen countries -- is a working proof that neither framework has produced a remediation cadence fast enough to close a six-year window on a severity-9.8 CVE. The control that changes this outcome is automated patch-compliance telemetry at the perimeter, not a quarterly audit cycle. MAS's next Technology Risk Examination round, scheduled for Q3 2026, will have a ready-made question for every institution whose FortiGate appears in that corpus.