Threat intelligence reports have revealed widespread credential exposure affecting Fortinet firewalls and VPN gateways, potentially placing thousands of organizations at risk of unauthorized access. In a credential-harvesting campaign referred to as FortiBleed, Fortinet attributes the campaign to threat actors reusing credentials from earlier breaches and applying brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA), characterizing the episode not as a new vulnerability but as a downstream consequence of unaddressed organizational hygiene gaps. Global cybersecurity agencies have since warned organizations of the risk this exposure poses.
In response to the FortiBleed campaign, cybersecurity agencies in the U.S., the U.K., and Australia identified that attackers are actively targeting internet-facing Fortinet devices using compromised credentials, enabling them to bypass perimeter defenses and gain direct entry into enterprise networks. The FortiBleed campaign underscores a growing shift in attacker tactics, where stolen identities, rather than newly discovered software flaws, are increasingly being used as the primary path for initial compromise.
Authorities called upon organizations to assume exposure and act immediately by rotating all administrative and VPN credentials, terminating active sessions, enabling phishing-resistant MFA, and restricting management interfaces from public internet access.
SOCRadar researchers identified the operational server of a threat actor group that had been systematically breaching FortiGate firewalls and SSL VPN gateways at a massive, global scale, after a security researcher first flagged the exposed attacker infrastructure. The investigation uncovered a verified database of over 86,644 working login credentials belonging to organizations and government bodies across 194 countries, with the campaign running since at least February 2026 and continuing to claim new victims.
Analysis showed the operation relies on full automation, with attackers scanning the internet for FortiGate devices, testing curated lists of known passwords, and then using compromised devices as listening posts to harvest additional credentials from passing VPN traffic, which are fed back into the scanner to compromise further targets.
The victim list spans nearly every sector of the global economy, including banks, telecom operators, hospitals, universities, government agencies, and large multinational corporations, with telecom representing one of the most heavily targeted sectors and government entities accounting for hundreds of entries across more than a hundred domains. Tooling, infrastructure choices, and victim selection point toward Russian-speaking threat actors, with targeting heavily weighted toward NATO member countries, suggesting the campaign carries a geopolitical dimension alongside financial motives.
Notably, SOCRadar found no evidence that this activity stems from a Fortinet zero-day vulnerability or product compromise, attributing the exposure instead to credential-based attacks such as brute-forcing and credential stuffing against internet-facing Fortinet services.
Fortinet said it believes “the activity involves threat actors reusing credentials from previous incidents (FG-IR-26-060, FG-IR-25-647) and employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA).”
FortiBleed proves less a novel exploit than a vivid illustration of credential entropy decay, as actors simply recycled passwords harvested from prior FortiGate incidents and brute-forced their way past devices still lacking MFA. Fortinet has identified the potentially compromised systems and is proactively contacting impacted customers.
To defend against FortiBleed malicious cyber activity, Fortinet recommends that customers with impacted FortiGate appliances take several immediate steps. They should terminate active administrative sessions and reset Fortinet VPN and administrative passwords, particularly on internet-facing systems, while enforcing strong password policies. MFA should be implemented across administrator and VPN user accounts.
Organizations should also upgrade to the latest versions of 7.4, 7.6, or 8.0, since these versions support PBKDF2 hashing of administrator credentials. Customers can follow the guidance to remove older legacy password settings via set login-lockout-upon-weaker-encryption.
In addition, customers should validate their configuration by reviewing firewall and VPN users and other settings for unauthorized changes, preferably comparing against a known good configuration, and paying particular attention to the addition of unrecognized accounts such as ‘forticloud, fortiuser, fortinet-support, fortinet-tech-support,’ and similar names. They should also check their logs for unexpected administrator access from an unknown IP, as well as domain controller logs for lateral movement, unusual access, suspicious accounts, or unauthorized configuration changes.
Organizations should also reduce their attack surface and lock down management access by restricting external management of their devices through trusted hosts, a local-in policy, or, ideally, removing internet administration altogether.
To defend against this malicious cyber activity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged impacted Fortinet customers using FortiGate appliances and associated Secure Sockets Layer (SSL) VPN gateways to take immediate action. Organizations should terminate all active SSL VPN and administrative sessions and reset all Fortinet VPN and administrative passwords, particularly on internet-facing systems, while enforcing strong password policies. They should also confirm that administrator credentials are stored using the Password-Based Key Derivation Function 2 (PBKDF2) algorithm and remove weaker legacy hashes in line with Fortinet guidance.
In addition, organizations should review firewall, VPN, authentication, and domain controller logs for signs of lateral movement, unusual access patterns, suspicious accounts, or unauthorized configuration changes. CISA also recommends enabling phishing-resistant MFA for remote access and administrative accounts, ensuring it is enforced across external gateways and administrative interfaces.
To further reduce risk, organizations should minimize the attack surface by making sure firewall administration interfaces are not accessible from the public internet, restricting Fortinet management access to trusted internal networks, and removing or disabling any unauthorized or unnecessary accounts.
Meanwhile, the U.K.’s National Cyber Security Centre (NCSC) prescribed that organizations using Fortinet edge devices with SSL VPN enabled should investigate potentially malicious activity on the device and monitor their network for unusual activity.
Organizations should first check SOCRadar’s or Hudson Rock’s FortiBleed checkers for unlisted domains, confirm device ownership, and look for Indicators of Compromise such as unauthorized accounts or unusual log activity. If compromise is confirmed, the device should be isolated from the internet and internal network, and U.K. organizations should report the incident, engage an assured Cyber Incident Response provider, and notify the vendor.
Since credential changes alone may not remove a persistent attacker, a factory reset is necessary, preceded by preserving logs and configuration data for investigation. Organizations should then check other devices sharing credentials or network access with the compromised system, and harden the re-commissioned device by closing internet exposure to management interfaces, updating to the latest version, retiring unsupported systems, replacing weak passwords, enforcing MFA, and enabling PBKDF2 with mandatory admin re-authentication.
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) advises organizations that use Fortinet firewall or VPN services to take several important steps. All admin and VPN credentials should be rotated immediately, and devices should be patched promptly to prevent attackers from exploiting existing vulnerabilities in older firmware.
Organizations should also restrict exposure of management interfaces, ensuring firewall admin and management interfaces are not internet accessible unless necessary, in order to reduce the attack surface of their Fortinet infrastructure. Multi-factor authentication should be enforced for all external interfaces to minimise the impact of any stolen credentials.
Credentials should be stored using PBKDF2 hashing to prevent offline brute forcing, and all admin accounts should be logged back into once devices are fully updated, to force the encryption to change to PBKDF2. Finally, organizations should examine their logging for malicious activity by reviewing authentication and access logs and investigating any abnormal logins or changes.
