top of page

FortiBleed: Active Credential Compromise Campaign Targeting Fortinet Firewall and VPN Infrastructure

June 18th, 2026

Critical

Our Cyber Threat Intelligence Unit is monitoring an active credential harvesting campaign, publicly disclosed on June 16, 2026, that targets internet-facing Fortinet firewall and VPN devices worldwide. Known as FortiBleed, the campaign has collected a database of verified login credentials from Fortinet devices in 194 countries. SOCRadar reports 86,644 compromised devices, while Hudson Rock identifies 73,932 unique firewall URLs. Independent security researcher Bob Diachenko first reported the campaign and shared his findings with Hudson Rock. This activity results from reused or previously leaked Fortinet credentials, not a new product vulnerability, and mainly affects organizations with exposed, reused, weak, or unrotated credentials. Telecommunications and government organizations are among the most impacted, with government credential exposure posing national security risks. The campaign is ongoing, and the dataset has not been seen for sale on criminal forums. Organizations using Fortinet firewall or VPN infrastructure should consider any matching credentials compromised and take immediate action. 

Technical Details

  • Threat Type: Credential harvesting / unauthorized access (credential compromise, not a product vulnerability)

  • Severity: Critical

  • Affected Systems: Internet-facing Fortinet FortiGate firewalls and SSL VPN/management interfaces

  • Threat Actors: Multi-operator, Russian-speaking cybercriminal group (unattributed to a named APT at time of disclosure)

Attack Chain:

  • Scanning: Threat actors scan the internet for exposed Fortinet management interfaces, primarily on port 443, with secondary scanning on ports 4443, 8443, and 10443.

  • Credential acquisition: The precise initial access method has not been definitively confirmed; two mechanisms appear to be operating in parallel:

  • Credential stuffing: Automated tooling tests a curated list of previously leaked Fortinet credentials, primarily default and built-in system accounts never rotated after prior breaches, against each identified device.

  • Config extraction and hash cracking: Arctic Wolf and researcher Kevin Beaumont documented a second vector in which FortiGate configuration files are extracted from internet-facing devices, with stored credential hashes cracked offline using a reported 45-GPU Hashtopolis cluster.

  • Post-compromise collection: Once inside a device, actors passively monitor traffic transiting the firewall to capture additional credentials.

  • Self-sustaining loop: Newly captured credentials are fed back into the scanning infrastructure, allowing the campaign to expand without manual intervention.

  • Discovery: Independent researcher Bob Diachenko made the initial public disclosure after identifying the exposed server. SOCRadar independently identified the same operational infrastructure, which included the credential database, automation scripts, and supporting tooling.

Contributing factor: Fortinet introduced PBKDF2-based password hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1 to replace the legacy SHA-256 with Salt storage method. Until an administrator logs in following an upgrade, credentials stored prior to the update remain in SHA-256 with Salt format and are susceptible to offline cracking if configuration files are extracted.

Image by ThisisEngineering

Impact

  • Perimeter Compromise: Confirmed access to a Fortinet management interface or SSL VPN gateway gives threat actors a direct foothold into the target network.

  • Lateral Movement and Data Theft: Initial access positions attackers to move laterally through internal environments, conduct reconnaissance, harvest credentials from transiting traffic, and exfiltrate sensitive data.

  • Scale of Exposure: Figures vary across sources. SOCRadar identifies 86,644 compromised devices across 194 countries; Hudson Rock identifies 73,932 unique Fortinet firewall URLs. Both datasets include verified credentials for major organizations including Foxconn, Samsung, Siemens, PwC, Accenture, and Comcast.

  • Critical Infrastructure at Risk: 5,616 credential entries are linked to telecommunications organizations and 591 to government entities across 111 domains, elevating risk to essential services and national security.

  • Enterprise Exposure: Organizations generating more than $1 billion in annual revenue represent over 20% of all entries in the dataset, reflecting significant financial and reputational risk.

  • Active and Ongoing Threat: The dataset has not yet been observed for sale on criminal forums, but the confirmed working credentials it contains represent an immediate risk to affected organizations independent of any future public release.

Detection Method

  • Monitor Fortinet authentication logs for successful logins to administrative or VPN accounts from previously unseen source IPs or unusual geographic regions.

  • Review FortiGate VPN and system event logs for SSL VPN logins outside normal business hours or with anomalous client characteristics.

  • Flag repeated authentication attempts against management interfaces on ports 443, 4443, 8443, and 10443 from external IP ranges, particularly against default or built-in account names (e.g., admin, Fortinet system accounts, support accounts).

  • Audit configured administrator accounts for default, factory-set, or long-unrotated credentials, and confirm no legacy SHA-256 with Salt password hashes remain active after a FortiOS upgrade.

  • Cross-reference your organization's domains and IP ranges against credential-leak monitoring or dark-web intelligence sources to determine exposure.

Indicators of Compromise

There are no Indicators of Compromise for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Rotate all administrative and VPN account passwords on Fortinet devices immediately, prioritizing accounts unchanged since a prior breach.

  • Enforce multi-factor authentication on every administrative and remote access account.

  • Restrict management interface access from the public internet; limit access to trusted internal networks only.

  • Apply the latest FortiOS firmware and require all administrators to log in once after upgrading to initiate migration to PBKDF2 password hashing.

  • For organizations running FortiOS 7.2.x or 7.4.x: while administrator re-login converts the active credential to PBKDF2, the legacy SHA-256 with Salt hash persists in a hidden 'old-password' configuration field. Enable the 'login-lockout-upon-weaker-encryption' setting under system password-policy to fully remove residual SHA-256 hashes (source: Arctic Wolf).

  • Monitor authentication and VPN logs for unfamiliar login activity and investigate matches against known exposed credentials.

  • If compromise is suspected or confirmed, initiate Active Directory forensic review to identify lateral movement or credential harvesting activity within connected environments.

  • Engage incident response support if your organization's domains or IP ranges appear in the FortiBleed dataset, and treat the exposure as a confirmed compromise.

Conclusion

FortiBleed is an ongoing, large-scale credential compromise campaign targeting Fortinet firewall and VPN infrastructure across 194 countries. The exact method of credential acquisition remains unconfirmed, but it likely involves credential stuffing with leaked passwords and offline cracking of hashes from FortiGate configuration files. Organizations using Fortinet devices should immediately rotate all credentials, enforce MFA on external gateways, limit exposure of the management interface, apply FortiOS password policy hardening where applicable, check whether their domain is listed on the Hudson Rock disclosure portal, and conduct a forensic review of Active Directory.

bottom of page