Massive FortiBleed Campaign Targets Fortinet Firewalls Across 194 Countries

By /
fortinet fortisiem fortigate fortiweb fortibleed forticlient

CISA has issued an urgent warning to organizations using Fortinet FortiGate devices after a massive cyber campaign, known as FortiBleed, compromised more than 86,000 internet-facing devices around the world.

Security researchers believe the large-scale operation is being carried out by Russian-speaking threat actors who are exploiting weak passwords, reused credentials, and outdated security practices to gain unauthorized access to Fortinet firewalls and VPN gateways. As of June 19, 2026, the number of affected devices has reached an alarming 86,644 systems, making FortiBleed one of the most significant credential-based attacks targeting network security appliances in recent years.

FortiBleed is a widespread cyberattack campaign targeting organizations that use Fortinet FortiGate appliances for network security and remote access. The attackers are using stolen and leaked credentials to break into internet-exposed devices and then leverage those systems to gather even more login information.

According to cybersecurity firm SOCRadar, the majority of compromised accounts fall into three categories. Generic administrator accounts account for around 35% of breached credentials, while built-in Fortinet system accounts represent 28.3%. Organization-specific accounts make up the remaining 36.7%.

The findings suggest that many organizations continue to rely on default usernames or have failed to change factory-set credentials. Security experts warn that such practices significantly increase the risk of unauthorized access.

SOCRadar noted that the high number of compromised organization-specific accounts indicates attackers are not only targeting default credentials but are also successfully exploiting passwords that were likely exposed in previous data breaches and never changed.

The attack has impacted organizations across nearly every industry. However, telecommunications, government agencies, and educational institutions have emerged as the most heavily targeted sectors.

Geographically, the largest number of exposed devices has been identified in:

  • India
  • United States
  • Mexico
  • Colombia
  • Thailand

The global nature of the campaign highlights the growing risk faced by organizations that rely on internet-accessible security appliances without implementing strong credential protection measures.

Researchers say the threat actors launched a massive internet-wide scan to identify Fortinet remote login portals. Once these endpoints were discovered, attackers used a specialized automated tool to perform credential spraying attacks.

The attack follows a two-stage process:

Stage One: Credential Testing

Attackers use a carefully selected list of leaked Fortinet usernames and passwords collected from previous breaches and underground sources. These credentials are tested against thousands of FortiGate devices connected to the internet.

Stage Two: Credential Harvesting

After successfully accessing a device, attackers monitor network traffic passing through the firewall or VPN gateway. This allows them to collect additional usernames and passwords from users and administrators, which are then used to compromise even more systems.

Security researchers emphasize that the credentials being used are legitimate and verified before being added to the attackers’ growing database of working logins.

Cybersecurity company Hudson Rock revealed that threat actors have created a verified database containing working credentials for thousands of organizations worldwide.

Researchers warn that this database provides attackers with direct access opportunities into some of the largest enterprises and government networks across the globe.

The scale of the operation demonstrates how cybercriminals continue to exploit weak password management practices and credential reuse across multiple systems.

The UK’s National Cyber Security Centre (NCSC) has also warned organizations about the FortiBleed campaign. According to the agency, attackers are targeting internet-facing Fortinet firewalls and VPN gateways using techniques such as:

  • Brute-force attacks
  • Dictionary attacks
  • Credential stuffing
  • Automated password spraying

These methods are highly effective when organizations fail to implement strong passwords or multi-factor authentication.

Security researchers believe the attackers may also be benefiting from older password storage mechanisms used in previous versions of FortiOS.

Cybersecurity firm Arctic Wolf explained that Fortinet introduced stronger password protection through the Password-Based Key Derivation Function 2 (PBKDF2) algorithm in newer FortiOS releases, including versions 7.2.11, 7.4.8, and 7.6.1.

However, organizations that upgraded from older FortiOS versions may still have administrator passwords stored using the legacy SHA-256 hashing method. Existing passwords are only converted to the stronger PBKDF2 format after administrators successfully log in following the upgrade.

As a result, many organizations may unknowingly continue using less secure password storage methods, increasing their exposure to credential-related attacks.

cisa

In response to the reports, Fortinet stated that the exposed credentials likely originate from previously known incidents and credential brute-forcing activities rather than a newly discovered vulnerability.

The company emphasized that organizations should follow security best practices, including:

  • Regular password rotation
  • Strong password policies
  • Multi-factor authentication (MFA)
  • Continuous monitoring of administrative access

To reduce the risk of compromise, CISA has issued several recommendations for Fortinet customers:

  1. Terminate all active SSL VPN and administrative sessions.
  2. Reset all Fortinet VPN and administrator passwords, especially for internet-facing systems.
  3. Enforce strong password policies across the organization.
  4. Ensure administrator credentials are stored using the PBKDF2 hashing algorithm.
  5. Remove older and weaker password hashes where possible.
  6. Review firewall, VPN, authentication, and domain controller logs for suspicious activity.
  7. Investigate unauthorized configuration changes or unusual login attempts.
  8. Enable phishing-resistant multi-factor authentication for all administrative accounts.
  9. Limit exposure of management interfaces to the public internet.
  10. Reduce the attack surface by restricting unnecessary external access.

The FortiBleed campaign first came to public attention after security researcher Volodymyr “Bob” Diachenko discovered a server containing a database of verified login credentials for thousands of firewalls and VPN gateways spanning 194 countries.

According to SOCRadar, the same server also hosted the attackers’ automation tools and scripts used to conduct the large-scale credential attacks.

The FortiBleed incident serves as another reminder that weak passwords, credential reuse, and poor password management remain major cybersecurity risks. Even advanced security appliances such as firewalls and VPN gateways can become entry points for attackers when organizations fail to follow basic security hygiene.

With more than 86,000 FortiGate devices already compromised, organizations should immediately review their Fortinet environments, rotate passwords, enable multi-factor authentication, and monitor systems for signs of unauthorized access. Proactive security measures can significantly reduce the risk of becoming the next victim of this growing global cyber campaign.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Interesting Article : CISA Warns of Critical Joomla JCE Flaw Actively Exploited by Hackers

Scroll to Top