FortiBleed Update: CISA Issues Formal Advisory — Scope Jumps to 86,644 Devices in 48 Hours, Free Lookup Tool Now Available
Sources: CISA Official Advisory (cisa.gov/news-events/alerts/2026/06/18) · The Hacker News · SecurityWeek · Bleeping Computer · CybersecurityNews · Cryptika | Campaign: FortiBleed | CISA advisory date: June 18, 2026 | Confirmed compromised devices (June 19): 86,644 | CISA device count: ~74,000 (Fortinet advisory) | Countries: 194 | Credential breakdown: Generic admin 35% · Built-in Fortinet system accounts 28.3% · Org-specific accounts 36.7% | Free lookup tool: Hudson Rock FortiBleed Lookup at hudsonrock.com
CISA issues a formal advisory — and the scope jumped 180% in 48 hours
On June 18, 2026 — the same day DataWater published its original FortiBleed analysis — CISA issued a formal advisory urging all Fortinet customers to immediately harden their internet-accessible devices. By June 19, the confirmed compromised device count had grown from the 30,791 SOCRadar originally verified to 86,644 — a 181% increase in 48 hours — as automated verification scripts continued processing the attacker’s database. SecurityWeek notes the figure may represent roughly half of all internet-facing Fortinet infrastructure globally.
The CISA advisory is significant for several reasons beyond the scope escalation. CISA stated it is “aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials,” and that “this activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways.” A CISA formal advisory on an active credential-harvesting campaign — rather than a specific CVE — is relatively rare and signals that the agency has corroborating intelligence beyond what researchers have published. CISA tracks 26 Fortinet security flaws that have been exploited in the wild in recent years, 13 of which were abused in ransomware attacks. FortiBleed operates on top of that established exploitation history — attackers are not finding new vulnerabilities. They are finding organizations that never fixed the old ones.
| Metric | June 18 (DataWater #30) | June 19 (CISA Advisory) | Change |
|---|---|---|---|
| Confirmed compromised devices | 30,791 (SOCRadar) | 86,644 (SOCRadar updated) | +181% |
| CISA official figure | — | ~74,000 | First disclosure |
| Countries affected | 194 | 194 | Unchanged |
| Free lookup tool available | No | Yes — Hudson Rock | New |
| CISA advisory status | Not yet issued | Formally issued June 18 | Escalation |
| Generic admin accounts compromised | Majority (unquantified) | 35% of all credentials | Quantified |
| Built-in Fortinet system accounts | Present | 28.3% of all credentials | Quantified |
| Org-specific accounts | Present | 36.7% of all credentials | Quantified |
| Campaign status | Active, ongoing | Active, ongoing | Unchanged |
The credential breakdown tells a story about systemic hygiene failure
The most forensically revealing new data in the CISA advisory update is the breakdown of compromised credential types. According to SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. Organization-specific accounts account for 36.7% of the remaining breached credentials.
SOCRadar said: “This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed. Org-specific accounts topping the list is significant. It means the attacker is not just harvesting default credentials but has also successfully compromised accounts created by the organizations themselves, possibly sourced from prior breaches where passwords were never changed.”
The three-way split is instructive in a way that the raw device count alone is not. The 35% generic admin + 28.3% built-in Fortinet system account figure — nearly two-thirds of all compromised credentials — reflects organizations that deployed Fortinet devices and simply never changed the factory default login. These are not sophisticated attacks. They are the predictable, systematic consequence of default credential hygiene failures at scale, automated and weaponized. The 36.7% organization-specific account compromise is the more alarming signal: it means the attacker also has valid custom credentials — accounts that humans set up and named — which points toward credential reuse from prior unrelated breaches, infostealer malware, or phishing, not just default credential stuffing.
What CISA is mandating — the five immediate actions
CISA issued an alert on FortiBleed, urging Fortinet customers to take hardening actions: terminate active sessions and reset credentials, ensure they use Password-Based Key Derivation Function 2 (PBKDF2) algorithm to store admin logins, review logs to identify suspicious activity, enable phishing-resistant MFA, and lock down management access to reduce the attack surface.
Breaking each of these down for operational clarity:
- Terminate all active SSL VPN and administrative sessions immediately. Do not wait for sessions to expire naturally. Force-terminate every active session on every internet-facing FortiGate device now. An attacker with a valid session token can maintain access even if you subsequently change the password — the session needs to be killed first.
- Reset all credentials. Every administrative account. Every SSL VPN account. Every service account. Prioritize any account that appeared in a prior Fortinet incident — the original FortiBleed dataset was built substantially on credentials from earlier breaches that organizations never rotated. If a credential was ever exposed anywhere, treat it as compromised in FortiBleed.
- Verify PBKDF2 hashing is in use — and re-trigger it. Upgrade to FortiOS 7.2.11, 7.4.8, 7.6.1, or later. Critically: after upgrading, every administrator must actively log in at least once. The upgrade does not retroactively re-hash stored credentials. Only a successful post-upgrade login triggers the re-hashing for that account.
- Enable phishing-resistant MFA on all admin and remote-access accounts. CISA specifically calls out phishing-resistant MFA — FIDO2 or certificate-based — rather than legacy SMS or TOTP methods. A valid stolen credential combined with interceptable TOTP is not meaningfully more secure than no MFA for a sophisticated attacker.
- Lock down management interface access. Remove internet-facing exposure from the FortiGate management interface entirely. Restrict administrative access to a trusted internal management VLAN. Restrict SSL VPN access to known, vetted IP ranges where possible. The FortiBleed attacker’s entire operation depends on internet-accessible management interfaces — removing that exposure closes the stuffing attack surface regardless of credential state.
Hudson Rock’s free lookup tool: check if your organization is in the dataset
Hudson Rock has released a free FortiBleed Lookup Tool at hudsonrock.com/research/fortibleed — allowing organizations to check whether their domain or IP addresses appear in the confirmed compromised device database. Kevin Beaumont, together with Hudson Rock, worked with some of the impacted organizations and verified that the logins are valid and fairly recent. Any organization that receives a positive result from the lookup tool should treat the finding as a confirmed credential compromise and proceed immediately with the full CISA remediation checklist — not just a password reset.
The lookup tool’s availability also clarifies one important nuance in the scope figures: the difference between CISA’s ~74,000 and SOCRadar’s 86,644 reflects different counting methodologies and dataset snapshots taken at different times. The attacker’s database is being continuously updated as the scan-stuff-sniff-feed loop generates new compromises. SOCRadar has since updated its figure to 86,000, noting the operation has “produced a verified database of over 86,644 confirmed working credentials across 194 countries, all collected from internet-facing Fortinet infrastructure.” Both figures should be treated as floors, not ceilings.
FortiSandbox critical vulnerabilities now also exploited
On Monday, threat intelligence company Defused also reported that several critical vulnerabilities in Fortinet’s FortiSandbox cyber threat detection platform are now exploited in attacks. FortiSandbox is the sandbox analysis platform Fortinet customers use to detonate and analyze suspicious files and URLs — a security analysis tool used by SOC teams actively investigating threats. Its exploitation follows the same pattern DataWater documented with Splunk Enterprise CVE-2026-20253, the Trend Micro Apex One zero-day, and the Palo Alto PAN-OS authentication bypass: security infrastructure is now a priority attack surface, not a protected backstop. Organizations running FortiSandbox should treat it as a priority patch item alongside FortiGate, not as an afterthought.
The escalating picture: FortiBleed in the context of 2026’s network perimeter crisis
CISA’s formal advisory on FortiBleed, combined with the rapid scope escalation from 30,791 to 86,644 verified compromised devices in 48 hours, makes this the largest single credential compromise event affecting network perimeter infrastructure DataWater has documented in 2026 — surpassing in raw scale the Cisco SD-WAN campaign that produced seven exploited CVEs and the Palo Alto PAN-OS exploitation wave that hit two distinct attack waves before CISA’s June 19 remediation deadline.
The FortiBleed campaign’s most important structural characteristic — one that distinguishes it from every other major 2026 network device compromise — is that it does not require a CVE. No specific CVE has been directly tied to this campaign. The scale and impact demonstrate how misconfigurations and credential leaks can create significant security gaps. Every other major network device compromise DataWater has covered in 2026 exploited a specific, nameable software vulnerability. FortiBleed exploits organizational process failure — the failure to rotate credentials after prior incidents, rename default accounts, require MFA on administrative interfaces, and restrict management access from the public internet. These are not zero-day-dependent risks. They are configuration choices. The attacker found 86,644 organizations that made the wrong ones.
Related DataWater Coverage
- → FortiBleed Original Analysis — 30,791 Verified Credentials, 194 Countries, Self-Feeding Attack (June 18)
- → CVE-2026-0257: Palo Alto PAN-OS Auth Bypass — Active Exploitation Confirmed, CISA KEV, June 19 Deadline
- → CVE-2026-20245: Cisco SD-WAN 7th Zero-Day — Unpatched Root Escalation
- → CVE-2026-20253: Splunk Enterprise CVSS 9.8 — Security Tool as Attack Surface, CISA 3-Day Deadline Issued
- → CVE-2026-34926: Trend Micro Apex One Zero-Day — Security Platform Becomes Attack Vector, CISA KEV
- → Verizon DBIR 2026 — Credential Abuse and Incomplete Remediation Across the 2026 Threat Landscape
- → UNC6508: 26 Months Inside US/Canadian Research Labs — Nation-State Espionage via Credential Abuse
- → Browse the full DataWater threat archive →
Sources and further reading
- CISA — Official Advisory: CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure (June 18, 2026)
- The Hacker News — CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices
- SecurityWeek — FortiBleed: 86,000 Fortinet Device Credentials Compromised
- Bleeping Computer — CISA Warns Fortinet Users to Secure Devices After FortiBleed Leak
- CybersecurityNews — CISA Urges Hardening Fortinet Devices Following FortiBleed Attack
DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #31 — June 20, 2026. Previous: FortiBleed Original Analysis (June 18) · UNC6508 China-Nexus Espionage (June 16) · CVE-2026-20253 Splunk Enterprise (June 14). Browse the full threat brief archive →
