On June 13, 2026, security researcher Volodymyr "Bob" Diachenko publicly disclosed an exposed threat-actor server containing a validated database of FortiGate administrator and VPN credentials. The campaign has since been named FortiBleed. CISA followed with an emergency alert on June 19. The credentials are real, tested, and already in circulation.
What Happened
Diachenko found that the attackers had accidentally left an open directory containing their own tooling, scripts, connection strings, logs, and analytics. The data inside tells a precise story: a Russian-speaking, multi-operator threat group ran approximately 1.16 billion credential attempts against 320,777 FortiGate targets, plus 2.1 billion attempts against 163,650 Microsoft SQL Server systems.
The result is a verified database of over 86,644 confirmed working credentials spanning 194 countries. Researchers estimate roughly 50% of all internet-reachable FortiGate devices may be affected, making FortiBleed one of the most significant Fortinet security incidents on record.
The attackers intercepted SSL VPN authentication hashes and cracked them using a 45-GPU cluster managed through Hashtopolis. Cybersecurity researcher Kevin Beaumont and threat intelligence firm Hudson Rock subsequently validated portions of the dataset. Beaumont confirmed that sampled administrative credentials were authentic.
Why the Scale Is Alarming
The named victims read like a corporate directory of global business. According to Hudson Rock, organizations in the dataset include Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, and Oracle, alongside numerous government agencies and critical infrastructure operators.
The damage is not theoretical. Multiple organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey were described as fully compromised, including a Turkish NATO defense contractor from which classified documents were allegedly stolen.
Cybersecurity firm Huntress cross-referenced the listed IP addresses against its own data and identified 845 partner organizations specifically impacted by this credential dump.
What makes FortiBleed especially dangerous is the attack vector. According to SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. Organization-specific accounts account for the remaining 36.7%. SOCRadar concluded: "This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed."
Why There Is No Patch to Apply
This is the most important thing to understand: FortiBleed does not exploit a software vulnerability. There is no patch that closes it.
The campaign's effectiveness stems from how older FortiOS versions stored passwords. Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism. However, when upgrading from an earlier version, existing administrator passwords remain stored as SHA-256 hashes until each administrator logs in fresh after the upgrade. Simply applying the update is not enough.
That means credentials can be leaking silently from devices that appear fully patched and operational, with no alert visible to defenders without active threat hunting. The presence of state-associated tunneling tools (Chisel, Neo-reGeorg) in related exploitation activity signals that sophisticated, well-resourced threat actors are drawing from the same dataset alongside low-level criminals.
What the Attackers Do Once They Are In
Once inside a FortiGate device, attackers used packet sniffing to intercept network traffic and harvest NTLM and Kerberos hashes for users across the entire environment. That means any Active Directory account behind the firewall could potentially be compromised.
A breached FortiGate perimeter device is effectively a skeleton key to the entire internal network behind it. For additional context, CISA tracks 26 Fortinet security flaws exploited in the wild in recent years, 13 of which were abused in ransomware attacks. FortiBleed creates a fresh, verified on-ramp to that same ransomware pipeline.
What Your Business Needs to Do Right Now
CISA's June 18 alert is explicit, and guidance from Bitdefender, Arctic Wolf, Huntress, and Recorded Future aligns tightly with it. Here is the consolidated action list.
1. Rotate every credential immediately. Terminate all active SSL VPN and administrative sessions, then reset all Fortinet VPN and administrative passwords, especially on internet-facing systems. Do not wait for a maintenance window.
2. Rotate Active Directory credentials too. Because attackers used packet sniffing inside the network perimeter, assume that NTLM and Kerberos hashes for domain accounts may have been captured. Rotate credentials for all Active Directory users.
3. Upgrade FortiOS and force every admin to log in fresh. Upgrade to FortiOS 7.2.11, 7.4.8, or 7.6.1 (or later) to enable PBKDF2 hashing. After upgrading, each administrator must log in to the device individually to replace their legacy SHA-256 hash. The upgrade alone does not replace existing hashes.
4. Enable MFA on every admin and VPN account. CISA specifically called for phishing-resistant multifactor authentication on all affected FortiGate appliances.
5. Pull the management interface off the public internet. Arctic Wolf strongly recommends restricting firewall management interface access to trusted internal networks across all firewall configurations, regardless of vendor.
6. Hunt for unauthorized accounts. Attackers with FortiGate access can create new admin accounts silently. Audit all administrator accounts on every appliance and remove anything your team did not explicitly provision.
7. Check whether your domain is in the dataset. Hudson Rock validated portions of the dataset and released a free FortiBleed lookup tool for organizations to check domain exposure. Use it today.
The Longer Warning
FortiBleed follows a well-established pattern of threat actors systematically targeting network perimeter devices. The same pattern appeared with CVE-2023-27997 (XORtigate), the Volt Typhoon campaign, and the 2020 mass exploitation of CVE-2018-13379, which leaked VPN credentials for approximately 50,000 Fortinet devices.
The lesson is the same each time: perimeter devices are high-value, credential-rich targets. If your VPN gateway or firewall sits on the open internet with default accounts, weak passwords, and no MFA, it is not a matter of if it appears in a dataset like this, but when. Bitsight CTI is actively monitoring underground chatter across Telegram, criminal forums, and paste sites, and the volume of FortiBleed-related activity indicates the credential dataset will continue to be weaponized in follow-on attacks.
How 247techify can help
At 247techify, we help businesses audit and harden their network perimeter infrastructure, including Fortinet environments, implement phishing-resistant MFA, and set up the monitoring needed to catch credential-based intrusions before they become full network compromises. If you run FortiGate appliances and are not certain your devices are secured, get in touch with our team at https://www.247techify.com/ today.