I tell people all the time: the adversaries are winning the race right now because they collaborate effectively, and they’re not beholden to safeguards like internal policies, GRC review, approval workflows, or security best practices. FortiBleed is a predictable outcome of threat actors’ laser-focus on gaining access to high-value targets at any cost. There’s no new exploit to chase here, no CVE to slot into a dashboard cell and watch turn green. This is a credential story. It’s messier, quieter, and harder to clean up than the classic vulnerability stories we’re used to.
Here’s the situation, what we know, and what you should be doing before the weekend.
Fortibleed Summary
In mid-June, researcher Volodymyr “Bob” Diachenko stumbled onto an attacker-operated server that the crew had carelessly left open to the internet — scanning scripts, credential-testing tooling, logs, and a victim database neatly sorted by company, sector, revenue, and country. Inside was a dataset of working usernames and passwords for roughly 73,932 internet-facing Fortinet FortiGate firewalls and SSL VPN gateways across 194 countries. According to research from SOCRadar and Hubson Rock, and independent researcher Kevin Beaumont, the dump looks legitimate — sourced from exported device configurations, not just login-screen phishing, and overwhelmingly from devices that are still online today. Analysts estimate this touches about half of every Fortinet device discoverable on the internet.
Now, the important part: FortiBleed is not a new zero-day. There is no assigned CVE. This is a large-scale credential exposure and validation campaign run by a multi-operator, Russian-speaking group. They swept the internet for exposed Fortinet boxes and tested them against billions of previously leaked credentials — about 1.16 billion login attempts against 320,000+ FortiGate targets, plus a parallel 2.1 billion brute-force run against 160,000+ MSSQL servers. Where they couldn’t reuse a password, they intercepted SSL VPN authentication hashes and cracked them offline on a GPU cluster.
Two important technical details:
- Strong passwords didn’t save anyone. A lot of the compromised credentials were 20-character monsters. Length and complexity of passwords didn’t matter, because they already existed in plaintext inside infostealer dumps harvested from endpoints before any encryption applied. Complexity is irrelevant with leaked credentials.
- The hashing gap is real. Older FortiOS stored admin passwords as fast SHA-256 hashes. Newer releases (7.2.11+) use PBKDF2, but after an upgrade, the old weak hash can persist until the admin logs in again or resets the password. So a “patched, current” device can still be carrying a crackable legacy hash.
And here’s why edge gear is such a prize: once they’re on the box, they use it as a listening post, watching traffic, scooping up more credentials, feeding those back into the scanner. From there it’s a short hop into Active Directory. Start the incident clock.
Who’s impacted
Being named in the dataset is not the same as a confirmed breach. But the spread is genuinely broad. Public reporting (Hudson Rock, SOCRadar, Tech Times) lists exposed credentials tied to organizations across nearly every sector of the global economy, including names like Accenture, PwC, Oracle, Samsung, Siemens, Foxconn, Lenovo, Comcast, AT&T, Chevron, Mercedes-Benz, and Toyota — alongside an unspecified number of government agencies and critical infrastructure operators.
- Geography: 194 countries, with the heaviest device concentrations in India, the United States, Taiwan, and Mexico.
- Hardest-hit industries: IT services, construction materials, and telecommunications.
- The bad news: Diachenko reported a confirmed full-network compromise and exfiltration of classified documents from a Turkish NATO defense contractor. This isn’t only opportunistic crime — Bitsight has spotted state-associated tunneling tools (Chisel, Neo-reGeorg, previously seen in Volt Typhoon activity) drawing from the same credential pool. Translation: criminals and well-resourced state actors are shopping from the same shelf.
MSPs and MSSPs are an amplified-risk category. One compromised admin account managing Fortinet gear for many clients can expose everyone downstream at once. If that’s you, treat this as a multi-tenant incident, not a single-box cleanup.
For the record, Fortinet’s position is that the data is a reshare of material from prior incidents plus brute-forced credentials, and not tied to any recent advisory, but it doesn’t change your homework. If a valid credential to your gateway is circulating, it needs urgent attention.
Government warnings and advisories
On June 18, 2026, CISA issued an alert explicitly naming FortiBleed and citing credentials tied to roughly 74,000 Fortinet devices across government and private-sector networks. Notably, CISA tells you to review domain controller logs alongside firewall and VPN logs. Put simply, the agency does not think this stops at the firewall. This is an identity incident wearing a network-appliance costume. (This also isn’t Fortinet’s first government spotlight — the Netherlands previously attributed a separate FortiGate campaign affecting 20,000+ devices to China.)
While FortiBleed itself carries no CVE, several related Fortinet vulnerabilities are in active exploitation and should be patched on principle — a few already in CISA’s Known Exploited Vulnerabilities catalog:
- CVE-2026-35616 — FortiClient EMS improper access control (in CISA KEV)
- CVE-2026-24858 — FortiCloud SSO authentication bypass (in CISA KEV)
- CVE-2026-21643 — FortiClient EMS SQL injection
- CVE-2026-39813 — FortiSandbox JRPC API path traversal, CVSS 9.1
These are separate from FortiBleed, don’t let anyone tell you patching them “fixes” the credential problem (it doesn’t). Patch them anyway.
What defenders should do
Remember the math I keep hammering on: the window from disclosure to exploitation has collapsed from ~32 days to <1 because attackers are using AI to reverse-engineer and weaponize faster than our change-management playbooks were ever designed for. You do not have time to run the full playbook leisurely. Following CISA’s guidance and the researcher consensus:
Do today:
- Terminate and reset. Kill all active SSL VPN and administrative sessions, then reset every Fortinet VPN and admin password — internet-facing systems first. Assume any credential that could be in the dataset is burned, regardless of how strong it looked.
- Enforce phishing-resistant MFA on every remote-access and admin interface, no exceptions. This is what neutralizes a stolen plaintext credential. Prefer certificate- or token-based; avoid SMS.
- Fix credential storage. Confirm you’re on PBKDF2 and actively purge the lingering legacy SHA-256 hashes per Fortinet’s FortiOS 7.2.11+ guidance. Don’t assume the upgrade did it for you.
- Get management off the internet. Restrict admin interfaces to trusted internal networks with local-in policies, and remove or disable dormant/unnecessary accounts — those forgotten admin accounts are exactly where this lives.
Do this week:
5. Hunt, don’t just scan. Review firewall, VPN, authentication, and domain controller logs for impossible-travel logins, unexpected admin sessions, new accounts, or config changes. A successful malicious login looks successful, so you have to go hunt for it.
6. Check your exposure against the public lookup tools (Hudson Rock’s Fortinet checker, breached.company). These can be a starting point, but a clean result is not an all-clear. It doesn’t replace log review or rotation.
7. Patch the related CVEs above, prioritizing FortiClient EMS, FortiSandbox, and anything in CISA KEV.
8. Adopt an assume-breach posture on the VPN boundary. Password rotation alone does not evict an attacker who already established persistence.
The takeaway
FortiBleed isn’t a tidy security story with a version number and a deadline. It’s the uncomfortable one about identity hygiene, edge-device administration, and credentials we forgot we exposed. AKA, the new normal of critical risk. The firewall stopped being just a perimeter box a long time ago. It’s now an identity broker and the front door to your domain. Defend it like one.
We don’t need to panic, but we should act with urgency. We need clarity, process, and the discipline to match the speed and intensity of the adversaries on the other side of the screen.