|

FortiBleed: 30,791 Verified Fortinet Credentials Compromised Across 194 Countries — The Self-Feeding Attack Nobody Can Find the Source Of

CRITICAL — Check now: If you run any internet-facing Fortinet FortiGate firewall or SSL VPN gateway, treat your device as potentially compromised until proven otherwise. Reset all administrative and SSL VPN credentials immediately. Upgrade to FortiOS 7.2.11, 7.4.8, 7.6.1, or later for PBKDF2 password hashing, then require every administrator to log in once to trigger re-hashing. Enforce MFA. Restrict management interface access to a dedicated internal VLAN — never expose it to the public internet.
Network firewall server room representing FortiBleed Fortinet credential compromise campaign 30000 devices 194 countries
30,791 verified working credentials. Possibly 75,000 devices. 194 countries. One Turkish NATO defense contractor fully compromised. | DataWater Threat Brief, June 18, 2026

Sources: SOCRadar (primary) · Arctic Wolf · Dark Reading · Cybernews · Hudson Rock / Kevin Beaumont · DoublePulsar · Undercode Testing | Campaign: FortiBleed | Verified credentials: 30,791+ devices | Estimated total: ~75,000 devices (~50% of internet-facing FortiGate on Shodan) | Countries: 194 | Attribution: Russian-speaking cybercriminal group | Severity: Critical (SOCRadar)

The attacker’s mistake handed researchers a database that should never have existed

In mid-June 2026, SOCRadar’s threat research team identified an exposed operational server belonging to a hacking group that had been quietly compromising Fortinet network security devices on a global scale. What they found was not a list of stolen passwords. It was a fully operational credential-harvesting machine: a curated, continuously updated, automatically-verified database of working administrator and SSL VPN credentials for tens of thousands of Fortinet FortiGate firewalls, spanning 194 countries and organized by company sector, revenue tier, and headcount — the recognizable fingerprint of an eCrime syndicate packaging initial network access for resale.

SOCRadar independently verified more than 30,791 working device credentials within the dataset. Independent analysis by Hudson Rock and security researcher Kevin Beaumont estimates the true scope at approximately 75,000 affected devices — roughly half of all internet-facing Fortinet firewalls currently indexed by Shodan. The campaign has been named FortiBleed. It is active, ongoing, and self-sustaining: compromised devices are being used as listening posts to harvest additional credentials from passing network traffic, fed back into the attack loop to compromise still more devices.

The victim profile spans virtually every critical sector of the global economy: banks, hospitals, telecommunications operators, universities, government agencies, energy companies, and multinational corporations with revenues in the tens of billions. Telecommunications represents the most heavily targeted sector with 5,616 confirmed entries. Government organizations account for 591 entries across 111 distinct domains. Enterprises with $1B+ annual revenue account for more than 20% of all affected devices. India and the United States together account for nearly one-third of all identified credential compromises.

FieldDetail
Campaign nameFortiBleed
Verified working credentials30,791+ devices (SOCRadar)
Estimated total affected devices~75,000 (Hudson Rock / Beaumont) — ~50% of internet-facing FortiGate on Shodan
Unique IP addresses21,108
Countries affected194
Most affected sectorTelecommunications — 5,616 entries
Government sector entries591 entries across 111 domains
Top affected countriesIndia, US, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, UAE
$1B+ revenue orgs affected20%+ of all compromised devices
Discovered byResearcher Bob Diachenko
Analyzed bySOCRadar, Hudson Rock, Kevin Beaumont, Arctic Wolf
AttributionRussian-speaking, multi-operator cybercriminal group
Victim weightingHeavily weighted toward NATO member countries
Confirmed full network compromisesJapan, Taiwan, Vietnam, Iraq, Turkey
Most serious confirmed caseA Turkish NATO defense contractor — full network compromise
Primary linked CVECVE-2026-24858 — FortiCloud SSO SAML auth bypass, CVSS up to 9.8, on CISA KEV
Related actively exploited CVEsCVE-2026-21643, CVE-2026-35616 (FortiClient EMS API auth bypass)
Confirmed root causeUnconfirmed — credential reuse is leading theory, no confirmed zero-day identified
SOCRadar severity ratingCritical

How FortiBleed actually works: scan, stuff, sniff, feed

FortiBleed is not a single exploit chained into a clever technical sequence the way Splunk Enterprise’s CVE-2026-20253 or Oracle PeopleSoft’s CVE-2026-35273 worked. It is something more mundane and, in its way, more disturbing: a fully automated, self-sustaining credential-stuffing operation built almost entirely on the accumulated wreckage of years of prior Fortinet security incidents and basic password hygiene failures.

The operational mechanics, reconstructed from SOCRadar, Hudson Rock, Beaumont, and Arctic Wolf, follow a four-stage self-feeding loop:

  1. Scan. Attackers continuously scan the public internet for exposed Fortinet FortiGate management and VPN interfaces reachable from outside the trusted network.
  2. Stuff. A curated list of previously leaked Fortinet credentials — passwords exposed during earlier Fortinet incidents, infostealer logs, and prior breach dumps — is tested against every identified device. Many organizations never rotated credentials after those earlier incidents, meaning years-old leaked passwords remain valid today.
  3. Sniff. Once a device is compromised, attackers use it as a passive listening post — monitoring legitimate traffic flowing through the firewall and harvesting any additional credentials that pass by.
  4. Feed. Newly harvested credentials are fed back into the scanning infrastructure, expanding the pool of valid credentials and compromised devices in a continuously growing cycle.

SOCRadar found that most compromised credentials were not sophisticated — generic administrator accounts, default Fortinet system accounts, and long-lived accounts whose passwords were never rotated since prior incidents. Kevin Beaumont’s independent forensic analysis went further, noting the dataset contains information — including internal email addresses — typically present only inside full device configuration exports, not merely login-screen credential captures. This points toward configuration-level exfiltration as the mechanism, though the precise initial access vector remains unconfirmed by any researcher.

The unanswered question that should worry every Fortinet customer

The single most consequential open question is one that, as of publication, neither SOCRadar, Hudson Rock, Beaumont, nor Arctic Wolf has definitively answered: how did attackers obtain full configuration file exports from roughly 75,000 devices in the first place?

Leading theories: credential reuse against exposed management interfaces, exploitation of known Fortinet RCE and auth bypass vulnerabilities — with CVE-2026-24858 (FortiCloud SSO SAML auth bypass, CVSS up to 9.8, disclosed January 27, 2026, on CISA KEV) cited as the primary suspected linkage — or “a previously unknown vulnerability.” That third possibility is what’s keeping incident responders awake: no patch and no specific indicator of compromise would exist for it. Until Fortinet issues a formal response, the honest assessment is the initial vector remains unconfirmed. What is not in question: the credentials are real, the compromises are real, the devices remain online, and the database is actively formatted for criminal use. This mirrors the pattern DataWater documented across Cisco’s SD-WAN chain and Palo Alto’s PAN-OS bypass — network perimeter devices, the systems organizations deploy specifically to defend their networks, have become the most consistently targeted attack surface of 2026.

Confirmed full network compromises, including a NATO defense contractor

Bob Diachenko’s forensic confirmation extends to full network compromises — attackers established persistence and lateral movement beyond the initial Fortinet device — at organizations in Japan, Taiwan, Vietnam, Iraq, and Turkey. The most serious confirmed case is a Turkish NATO defense contractor, where compromise extended well beyond the perimeter firewall into the internal network. SOCRadar’s analysis adds: technical evidence points to a Russian-speaking threat actor, and victim selection is “heavily weighted toward organizations in NATO member countries” — a pattern that raises the campaign’s strategic significance beyond purely financial motivation.

“Why is Fortinet always getting Fortifucked?”

That question, posed sardonically on social media, captures growing sentiment across the security community. This is not Fortinet’s first large-scale compromise this year. Earlier, researchers found hackers lurking inside more than 14,000 Fortinet VPN devices after exploiting previously known vulnerabilities. In December, threat actors exploited two critical FortiGate vulnerabilities within days of disclosure. FortiBleed is, in important respects, the cumulative consequence of those prior incidents combined with widespread failure to rotate credentials and harden management interfaces afterward.

This is consistent with the Verizon DBIR 2026 finding that organizations frequently treat patching or initial credential rotation as the end of incident response rather than the start of sustained hardening. SOCRadar’s blunt summary illustrates the scale: 2,645 Fortinet devices were found using username “admin3” and password “123456.” As one SOCRadar researcher put it: “The vulnerability wasn’t Fortinet. It was admin3:123456.”

What you can actually do right now

  1. Treat your device as potentially compromised until proven otherwise if your organization runs any internet-facing FortiGate firewall or SSL VPN gateway — particularly if management interfaces have ever been internet-reachable, or admin passwords haven’t been rotated since a prior Fortinet incident.
  2. Do not simply change the password if you believe you’re affected. The attacker may have already deployed persistent backdoors or sniffing capability. A password reset alone does not remediate a device used as a network traffic listening post.
  3. Immediately reset all administrative and SSL VPN credentials, prioritizing internet-exposed devices and any device involved in a previous exposure, however old.
  4. Enforce phishing-resistant MFA — FIDO2 or certificate-based — on all administrative and remote-access accounts.
  5. Restrict management interface access entirely from the public internet. Limit to trusted internal networks or a dedicated, audited management VLAN.
  6. Upgrade FortiOS to 7.2.11, 7.4.8, 7.6.1, or later for PBKDF2 password hashing. After upgrading, every administrator must log in at least once to trigger re-hashing — the upgrade alone does not retroactively re-hash existing stored passwords.
  7. Audit and patch CVE-2026-24858 (FortiCloud SSO SAML auth bypass, CVSS 9.8) and, for FortiClient EMS, CVE-2026-21643 and CVE-2026-35616.
  8. For FortiClient EMS, monitor for unauthorized endpoint management activity. CVE-2026-35616 allows unauthenticated API auth bypass in versions 7.4.5 and 7.4.6, potentially pushing credential-stealing functionality to managed endpoints.

The structural implication: the perimeter is dead, and FortiBleed just proved it again

Undercode Testing frames FortiBleed’s longer-term significance bluntly: with over 100,000 organizations potentially exposed across 194 countries, regulatory backlash, breach notification obligations, and liability exposure for organizations that failed basic hardening are likely outcomes. The same analysis predicts the scan-stuff-sniff-feed playbook will be replicated against Cisco, Palo Alto Networks, and SonicWall within 12 to 18 months — directly consistent with the pattern DataWater has already documented across Cisco SD-WAN’s seven exploited zero-days and Palo Alto PAN-OS’s confirmed active exploitation.

The attacker’s own operational mistake — leaving their command server exposed — is what allowed researchers to uncover FortiBleed at all. That stroke of luck should not be mistaken for a sustainable defensive strategy. The next campaign against the next vendor may not make the same error. Organizations should assume similar credential-harvesting operations are running undetected right now against every major perimeter security vendor, and the question is not whether they will be targeted, but whether they will detect it before attackers complete their objectives.

Sources and further reading


DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #30 — June 18, 2026. Previous: UNC6508 China-Nexus Espionage (June 16) · CVE-2026-20253 Splunk Enterprise (June 14) · CVE-2026-35273 Oracle PeopleSoft (June 12). Browse the full threat brief archive →

Similar Posts