On June 17, 2026, security
researcher Volodymyr "Bob" Diachenko made an accidental but
alarming discovery. While scanning the internet, he stumbled onto an exposed
server that should never have been publicly accessible. The server did not
belong to a corporation or a government agency. It belonged to an active
criminal operation.
Inside that server, Diachenko
found what turned out to be one of the most comprehensive collections of
Fortinet firewall credentials ever assembled: usernames, email addresses, and
plaintext passwords tied to 73,932 Fortinet FortiGate firewalls and SSL VPN
gateways across 194 countries. The incident has since been named FortiBleed,
and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued
an emergency advisory urging every affected Fortinet customer to act immediately.
Before diving into the mechanics,
one thing needs to be said clearly: FortiBleed has no CVE number and there
is no patch to download. This is not a software vulnerability in the
traditional sense. It is the result of years of accumulated credential theft,
weak password hashing, and security hygiene failures across tens of thousands
of organizations. Patching FortiOS will not fix it. Only active, deliberate
remediation will.
The Scale of the FortiBleed Breach
The numbers attached to FortiBleed
are almost difficult to absorb.
The dataset contains credentials
for 73,932 unique firewall and VPN URLs spanning 194 countries. Some
researchers, using Shodan scan data, estimate that this represents roughly half
of all internet-facing FortiGate devices discoverable online. Think about that
for a moment: half of every publicly accessible Fortinet firewall on the
internet may have had its credentials exposed in a single dataset.
The number gets more serious when
you look at what attack surface management researchers confirmed. SOCRadar independently analyzed
the dataset and found that approximately 30,791 of those credentials were
verified working at the time of discovery. These were not old, rotated, or
guessed passwords. The attackers had tested every single entry using automated
tooling and confirmed which credentials still opened a live door.
The organizations whose names
appear in the dataset span almost every sector imaginable. Publicly reported
names include Samsung, Oracle, Foxconn, Comcast, AT&T, Siemens, Lenovo,
Huawei, Spotify, Sony, Mercedes-Benz, Toyota, Chevron, FedEx, and ADP.
Government agencies and critical infrastructure operators across
telecommunications, healthcare, financial services, and manufacturing also
appear throughout the data.
Most significantly, researcher
Diachenko confirmed that at least four organizations were fully compromised
before the dataset was discovered. One of them was a Turkish NATO defence
contractor. Classified documents were stolen from that organization's network.
FortiBleed vs Previous
Fortinet Credential Incidents
Top 10 Countries by
Number of Affected Devices
How FortiBleed Was Discovered
The discovery of FortiBleed was,
in a strange way, the result of the attackers making a mistake.
Criminal operations like this one
require infrastructure: servers to store stolen data, scripts to automate
credential testing, logs to track which attempts succeeded. The group behind
FortiBleed had all of this. What they failed to do was secure that
infrastructure properly. Diachenko found their operational server sitting open
on the public internet, complete with tools, scripts, and logs that effectively
handed researchers a window into the entire operation.
From that exposed server, threat
intelligence firm Hudson Rock analyzed the dataset and gave the campaign
its name. Independent researcher Kevin Beaumont then personally verified
credentials across multiple organizations in the dataset and confirmed they
were real and active. His assessment was blunt: "The data is legit. It
is around 75k devices. Almost all are still online, and Fortinet devices. It
appears to be recent data."
Beaumont also noted something that
matters for understanding the severity: the IP addresses in the FortiBleed
dataset do not overlap with those in the 2025 Belsen Group leak. This is not
recycled old data. It is a newer, larger, and entirely separate collection of
compromised credentials.
Hudson Rock has published a free FortiBleed
lookup tool that allows any organization to check whether their domain
appears in the dataset. SOCRadar has released a similar checker.
The Attack Pipeline: How 74,000 Firewalls Were Compromised
The operation behind FortiBleed is
not a simple hack. It is an industrial-scale credential harvesting
pipeline with five distinct phases. Understanding each phase tells you exactly
where your organization was vulnerable and why rotating passwords alone may not
be enough.
Phase 1:
Internet-Wide Scanning
Before attacking anything, the
group needed a target list. They swept approximately 59.3 million internet
hosts to identify every exposed FortiGate management interface and SSL VPN
endpoint visible from the public internet. This produced a comprehensive map of
every Fortinet device that could be reached without first gaining network
access.
Phase 2:
Credential Stuffing at Scale
Against those targets, the group
launched approximately 1.16 billion credential attempts against over 320,000
FortiGate devices. Running in parallel, they also fired 2.1 billion
brute-force attempts at more than 160,000 Microsoft SQL Server instances. That
parallel MSSQL campaign is important context: this was never purely a Fortinet
operation. It was a broad initial-access campaign where Fortinet devices were
one high-value target among many.
The credentials used in this
stuffing campaign came from three main sources: previous Fortinet breach dumps
including the 2021 dark web leak and the 2025 Belsen Group dataset, infostealer
malware logs that captured plaintext passwords from infected endpoints, and
historical credential leak databases compiled from breaches across other
platforms.
Phase 3:
SSL VPN Hash Interception and Offline Cracking
For the targets where credential
stuffing did not immediately work, the group used a more sophisticated method.
They intercepted SSL VPN authentication hashes during active login
sessions. These hashes were then sent to a dedicated 45-GPU cracking cluster
managed through Hashtopolis, an open-source distributed
password-cracking framework widely used in both penetration testing and
criminal operations.
Hashtopolis allows the work of
cracking to be distributed across many machines simultaneously, running around
the clock. This is how the attackers succeeded in breaking even complex,
lengthy passwords. One of the most striking findings reported by independent
researchers was that many of the cracked passwords in the FortiBleed dataset
were long, randomly generated strings that would theoretically take years to
crack through conventional brute force. The 45-GPU cluster shortened that
timeline dramatically.
Phase 4:
Validation and Enrichment
After collecting credentials
through stuffing and hash cracking, the group did not simply dump the data.
They validated every entry against live systems using automated tools running
continuously. Each successfully validated credential was then enriched with
organizational metadata: company name, industry sector, estimated revenue,
employee count, country, and the specific interface the credential worked
against (whether the admin management panel or the SSL VPN endpoint).
The result was not a raw
credential dump. It was a structured, searchable targeting database
organized by country, sector, and company revenue, effectively a ready-to-use
directory for follow-on intrusion operations. Threat actors can query it to
find, for example, all verified working FortiGate admin credentials in the
financial services sector in a specific country, and then launch targeted
attacks against those organizations.
Phase 5:
Post-Access Lateral Movement
Once the attackers had valid
credentials for a device, they did not stop at the firewall. They used that
foothold to pivot directly into internal Active Directory environments. An
attacker with FortiGate admin access can reach domain controllers, file shares,
backup systems, and internal databases. This is why a firewall credential
breach is categorically different from, say, a web application credential leak.
It is access to the most trusted device on the network, and from there the
entire organization is open.
The Five-Phase
FortiBleed Attack Pipeline
Who is Behind FortiBleed?
The group responsible for
FortiBleed has been described by researchers as a multi-operator,
Russian-speaking cybercriminal organization. That description carries an
important caveat: Russian-speaking does not mean Russian government.
Attribution in cybercrime is rarely clean, and no specific APT group name has
been publicly confirmed as of this writing.
What researchers have pieced
together from the accidentally exposed operational server is a picture of a
professional, well-funded criminal enterprise. The group operates on a
continuous cycle: stolen credentials and intercepted hashes are fed back into
their tooling to expand access, and newly compromised devices add more
credentials to the pool. This is not a one-time attack. It is an ongoing
operation designed to maintain persistent access across thousands of
organizations globally.
The accidental exposure of their
infrastructure is a rare operational security failure. Criminal groups of this
sophistication typically compartmentalize their tools and data carefully. In
this case, a misconfigured server gave researchers a clear view of the entire
operation, which is the only reason FortiBleed became public knowledge when it
did.
The broader pattern here also
matters. Groups like Qilin have repeatedly demonstrated that corporate VPN and
firewall appliances are now a standard initial access vector. The threat intelligence
community has tracked an accelerating trend of credential theft campaigns
specifically targeting perimeter devices, because those devices, once
compromised, unlock everything behind them.
FortiBleed vs. Every Previous Fortinet Incident
Fortinet has been a repeated
target of credential theft campaigns for years. Understanding the full history
helps explain why FortiBleed represents a new level of severity and why
organizations that thought they were safe after previous incidents may still be
exposed.
2021 VPN Credential Leak. A threat actor posted approximately 500,000 FortiGate
VPN credentials to a dark web forum. The source of the theft was never
confirmed. Many affected organizations never rotated their credentials
afterward, which means those same passwords may have fed directly into the
FortiBleed dataset five years later.
January 2025 Belsen Group Leak. The Belsen Group exploited CVE-2022-40684, a known
authentication bypass vulnerability, to extract configuration files from
approximately 15,000 FortiGate devices. Unlike FortiBleed, this incident had a
specific CVE and a patch. Organizations that applied the patch were protected.
January 2026, CVE-2026-24858. A CVSS 9.4 authentication bypass in FortiCloud SSO was
added to the CISA Known Exploited Vulnerabilities catalog. Before patches were
widely applied, attackers used the vulnerability for additional configuration
exfiltration.
FortiBleed, June 2026. The IP addresses in the FortiBleed dataset do not
overlap with those in the Belsen Group leak. This rules out any interpretation
of FortiBleed as repackaged old data. SOCRadar confirmed no evidence of a newly
exploited zero-day vulnerability in the FortiBleed operation. The campaign
relied entirely on credential reuse, infostealer logs, and SSL VPN hash
cracking. It is the largest Fortinet credential exposure on record.
Why FortiGate Devices Are Such a High-Value Target
To understand why criminal groups
invest this much effort in targeting Fortinet firewalls specifically, it helps
to think about what a FortiGate device actually does. It sits at the edge of
the network. It terminates VPN connections. It enforces access control rules.
It holds privileged credentials. Anyone with valid FortiGate admin credentials
can bypass your entire perimeter security model without triggering most
intrusion detection systems, because they are logging in legitimately.
There is also a specific technical
weakness that made FortiBleed possible at the scale it reached. Before early
2025, FortiOS stored admin credentials hashed with SHA-256 with a static
salt. SHA-256 was designed for speed, which is great for data integrity but
terrible for password storage. A 45-GPU cluster running Hashtopolis can test
billions of SHA-256 combinations per second.
In early 2025, Fortinet updated
FortiOS to store credentials using PBKDF2 with a randomized salt. PBKDF2
is intentionally slow. Each password guess requires significantly more
computational work, making offline cracking far less practical even with
industrial GPU clusters. The problem is that this upgrade only takes effect
when an administrator actively re-authenticates after applying the firmware
update. Any admin account that has not re-authenticated since the update
was applied is still storing its password using the old, crackable SHA-256
method.
SHA-256 vs PBKDF2
Password Hashing Comparison
This is why vulnerability management for firewall devices cannot be reduced to patching
alone. Patching installs the new hashing algorithm. Re-authentication activates
it. Most organizations never completed that second step.
The CISA Advisory: What the Agency Is Telling You to Do
CISA's advisory on FortiBleed is
direct. The agency stated that it is aware of global reports that malicious
cyber actors have targeted internet-accessible Fortinet devices across
government and private sector organizations using compromised credentials.
For affected FortiGate appliance owners, CISA issued a specific set of required
actions.
•Terminate all active SSL
VPN sessions and administrative sessions immediately
•Reset all VPN passwords and
administrative passwords without exception
•Enable phishing-resistant
multifactor authentication on all admin accounts
•Review logs for any signs
of unauthorized access or lateral movement
•Migrate to PBKDF2
password hashing by ensuring all admins re-authenticate after the latest
FortiOS firmware update
•Restrict firewall
management interfaces so they are not accessible from the public internet
•Remove any unauthorized
user accounts found during the review
Fortinet's own public statement
took a different tone. The company told reporters that the FortiBleed data is "a
resharing of data from previous incidents, as well as bruteforcing of
credentials" and "not related to any recent incident or
advisory." Researchers pushed back on this framing. Kevin Beaumont
confirmed the credentials were real and active. The affected IP addresses
differ from those in the 2025 Belsen Group dataset, which makes the "resharing
of old data" explanation incomplete at best. CISA's advisory carries
more operational weight here: the agency does not issue emergency guidance for
historical data that poses no current risk.
How to Check If Your Organization Is in the FortiBleed Dataset
Before taking remediation steps,
you need to know whether your organization appears in the dataset. Here is
exactly how to check.
Step 1:
Use the Hudson Rock FortiBleed Lookup Tool
Hudson Rock has published a free
domain lookup tool specifically for FortiBleed. Enter your organization's
domain and it will tell you whether any associated Fortinet credentials appear
in the dataset. This is the fastest first check.
Step 2:
Check the SOCRadar FortiBleed Checker
SOCRadar independently built a
separate checker tool. Running your domain through both tools gives you better
coverage, since the two firms may have analyzed slightly different portions of
the data.
Step 3:
Review FortiGate Authentication Logs
Arctic Wolf recommends reviewing
FortiGate authentication logs going back to at least January 2026. Look
for anomalous patterns: login attempts from unusual geographic locations,
incomplete authentication sequences, and sessions that authenticated but
performed no visible legitimate activity.
Step 4:
Check RADIUS and LDAP Logs for Hash Interception Indicators
SSL VPN hash interception leaves a
specific fingerprint in authentication logs. Look for RADIUS or LDAP log
entries showing incomplete authentication attempts immediately followed by no
further legitimate session activity. These entries indicate that an authentication
handshake was intercepted before it completed, which is consistent with hash
capture for offline cracking.
Step 5:
Check for Active Directory Anomalies
If your FortiGate credentials
appear in the dataset, or if log review reveals suspicious authentication
patterns, immediately audit your Active Directory
environment. Look for new accounts created without authorization, changes to
group membership, unusual service account activity, and any lateral movement
indicators between the date of first suspicious log entry and today.
Full Remediation Plan: What to Do and When
FortiBleed Remediation
Timeline
The long-term recommendations
deserve additional context. Zero Trust Network Access (ZTNA) replaces the traditional perimeter trust model. Instead
of granting broad network access to anyone who authenticates at the firewall,
ZTNA requires continuous verification for every resource request. Even with
valid FortiGate credentials, an attacker operating under a ZTNA model cannot
simply walk into the internal network.
Continuous dark web monitoring
is the second critical long-term measure. FortiBleed was discovered because of
an attacker OPSEC failure. The next credential dump may not come with that
warning. Services that monitor dark web forums and criminal marketplaces for
your organization's credentials give you early warning before a leak becomes an
active intrusion.
Finally, regular attack surface management scanning ensures that your firewall management
interfaces do not drift back into public internet exposure over time.
Configuration changes, new device deployments, and cloud migrations can all
inadvertently re-expose management ports that were previously restricted.
What FortiBleed Actually Tells Us About Enterprise Security
The most important thing about
FortiBleed is what it does not require. It does not require a new zero-day
vulnerability. It does not require a sophisticated supply chain attack or a
state-sponsored hacking team with unlimited resources. It requires old
credentials that were never rotated, passwords stored with a hashing algorithm
designed in 1993, and management interfaces left exposed to the public
internet.
As one analyst put it, FortiBleed
is a credential hygiene failure at civilizational scale. Fortinet
devices have been targets of credential theft campaigns since at least 2021.
Organizations that responded to each previous incident by applying patches but
never rotating credentials or auditing their firewall exposure are now, five
years later, finding their passwords in a criminal database ready for active
exploitation.
The initial access broker
economy makes this especially dangerous. Verified credentials like those in the
FortiBleed dataset are not just used by the group that collected them. They are
sold. Other criminal groups, including ransomware operators, purchase verified
FortiGate credentials and use them as their entry point days or weeks later. By
the time a ransomware payload deploys, the original credential theft may be
months in the past.
This is why the response to
FortiBleed cannot be treated as a one-time cleanup exercise. It requires the
adoption of continuous monitoring,
incident response planning, and an architectural shift away from perimeter-trust
models. The attackers have already demonstrated they will return.
Conclusion
FortiBleed is the largest Fortinet
credential exposure ever recorded. Seventy-three thousand firewall passwords
across 194 countries, validated by the attackers themselves, organized into a
searchable targeting database, and actively circulating in criminal markets as
of today.
What makes it different from
everything that came before is the absence of a single exploitable
vulnerability. There is no CVE to patch, no advisory to respond to in the
traditional sense. The only remediation is active, thorough credential hygiene
across every FortiGate device your organization operates.
Hoplon InfoSec helps organizations
respond to exactly this kind of threat. From digital forensic investigation to determine whether your network was accessed before
FortiBleed became public, to incident response and recovery if active compromise is confirmed, to long-term attack surface management and dark web monitoring
that give you early warning before the next campaign reaches your devices. If
your organization uses Fortinet firewalls, the time to act is now.
