Global FortiBleed Campaign Compromises Tens of Thousands of Fortinet Devices, Prompting Urgent CISA Advisory

The United States Cybersecurity and Infrastructure Security Agency (CISA) issued a critical alert on Thursday, June 18, 2026, urging Fortinet customers operating FortiGate appliances to immediately implement robust security measures. This advisory follows an aggressive and far-reaching malicious campaign, codenamed "FortiBleed," which has reportedly compromised tens of thousands of internet-accessible Fortinet devices worldwide. Attributed to sophisticated Russian-speaking threat actors, the campaign has highlighted severe deficiencies in credential management and perimeter security across numerous organizations.

As of June 19, 2026, the staggering scale of the FortiBleed campaign has been quantified, with security researchers reporting 86,644 Fortinet devices successfully breached. This widespread compromise underscores a persistent vulnerability in how critical network infrastructure is secured, revealing a dangerous reliance on default or easily guessable credentials and a failure to adopt modern security practices. The campaign represents a significant threat, as Fortinet devices, particularly FortiGate firewalls and VPN gateways, serve as the primary defensive perimeter for countless enterprises, controlling access to sensitive internal networks.

Unpacking the FortiBleed Campaign: Scale and Modus Operandi

The FortiBleed operation is characterized by its systematic and automated approach, leveraging a bespoke tool to mass-scan the internet for exposed Fortinet remote login endpoints. Once identified, these endpoints are then subjected to "spraying" attacks, where known login and password combinations are relentlessly tested in an attempt to gain unauthorized access. This method, often encompassing brute-force, dictionary attacks, and credential stuffing techniques, capitalizes on the pervasive issue of weak or reused passwords.

According to detailed analysis from SOCRadar, a cybersecurity intelligence firm, the breakdown of compromised credentials paints a stark picture of organizational security posture. A significant portion of the breaches involves generic administrative accounts (35%) and built-in Fortinet system accounts (28.3%). These two categories collectively account for nearly two-thirds of all compromised credentials, pointing directly to a widespread failure to rename default accounts or regularly rotate factory-set passwords. Such practices provide attackers with a readily exploitable target list, often negating the need for complex infiltration methods.

The remaining 36.7% of compromised credentials are organization-specific accounts, a fact SOCRadar highlighted as particularly concerning. This indicates that the attackers are not merely exploiting default configurations but have also successfully breached accounts created by organizations themselves. This could stem from prior data breaches where passwords were never changed, or from internal credential management weaknesses. The implication is that even custom-created accounts, presumably intended for enhanced security, are falling victim to the attackers’ sophisticated credential harvesting and testing techniques.

The threat actors behind FortiBleed have demonstrated a high degree of operational efficiency. Their fully-automated attack employs a self-sustaining, two-step approach:

1. Automated Endpoint Identification and Credential Spraying: The attackers continuously scan the internet for Fortinet devices and attempt to authenticate using vast databases of username-password combinations.
2. Credential Validation and Database Compilation: Crucially, any credentials that prove legitimate and valid are meticulously verified before being added to a centralized database. This process ensures that the attackers accumulate a high-quality, confirmed list of working logins, ready for subsequent exploitation or sale on underground markets.

Hudson Rock, another security intelligence firm, emphasized the pervasive nature of the breach, stating, "The scale of this breach touches nearly every sector of the global economy, sparing no industry. The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet." This statement underscores the profound implications of FortiBleed, as the compromised credentials could provide gateways into critical infrastructure and sensitive corporate data across the globe.

A Chronology of Warnings and Discoveries

The alarm bells for the FortiBleed incident began ringing approximately one week prior to CISA’s official advisory. Security researcher Volodymyr "Bob" Diachenko was instrumental in bringing the campaign to light, discovering a publicly accessible server that contained a vast database of working login credentials for thousands of Fortinet firewalls and VPN gateways. This server, according to SOCRadar, was not just a repository of stolen data but also actively staged the attacker’s tools and automation scripts, providing a direct glimpse into the operational mechanics of the FortiBleed campaign.

Upon Diachenko’s discovery, cybersecurity agencies swiftly mobilized. The U.K. National Cyber Security Centre (NCSC) corroborated the severity of the threat, describing FortiBleed as a "global campaign targeting internet-facing Fortinet firewalls and VPN gateways using methods like brute-force, dictionary attack, and credential stuffing." This confluence of independent observations from security researchers and national cybersecurity bodies lent significant weight to the urgency of the situation, prompting CISA to issue its Thursday alert.

The timing of these advisories, following the initial discovery, highlights the rapid response required in the face of such large-scale, automated attacks. The period between discovery and public notification is often a race against time for defenders to understand the threat and issue actionable guidance before more systems fall victim.

The Technical Underpinnings: Legacy Hashing and Configuration Vulnerabilities

A critical aspect contributing to the success of the FortiBleed campaign appears to be the exploitation of older credential hashing mechanisms and historical methods of storing credentials within FortiGate configuration files. Modern cybersecurity best practices dictate the use of robust, computationally intensive hashing algorithms like PBKDF2 (Password-Based Key Derivation Function 2) to protect sensitive credentials. These algorithms are designed to make brute-forcing significantly more difficult, even if the hashed passwords are stolen.

Arctic Wolf, a cybersecurity operations company, shed light on this technical weakness. They explained that Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS versions 7.2.11, 7.4.8, and 7.6.1, replacing the older, less secure SHA-256-based storage mechanism. While this was a positive step, a critical caveat existed: "However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade."

This detail is paramount. It implies that organizations that upgraded their FortiGate firmware but did not force administrators to log out and then back in (or did not prompt a password change upon upgrade) might still have administrator credentials stored using the weaker SHA-256 hashing with salt. SHA-256, while a cryptographic hash function, is less resistant to modern cracking techniques, especially when not combined with strong salting and iteration counts, making it more susceptible to brute-force or rainbow table attacks compared to PBKDF2. The persistence of these legacy hashes provided a fertile ground for the FortiBleed attackers, enabling them to potentially crack credentials more efficiently from intercepted configuration files or through direct attacks.

Global Impact: Sectors and Geographies Hit Hardest

The FortiBleed campaign’s global reach is extensive, affecting 194 countries. The data from SOCRadar indicates a clear pattern of targeting across specific sectors and geographical regions. The top three impacted sectors are:

• Telecom: Telecommunications providers are critical infrastructure, managing vast networks and sensitive customer data. A breach here could have cascading effects, impacting communication services and potentially leading to mass surveillance or data theft.
• Government: Government agencies hold highly sensitive national security information, citizen data, and critical operational infrastructure. Compromise of government Fortinet devices could lead to espionage, disruption of public services, or exfiltration of classified data.
• Education: Educational institutions, particularly universities, are often rich targets due to their extensive research data, intellectual property, and large user bases with varied security practices. They also frequently manage large, complex networks that can be difficult to secure uniformly.

Geographically, the most significant exposures have been identified in:

• India: A rapidly digitizing nation with a vast IT infrastructure and a large number of internet users, making it a prime target for broad-scale campaigns.
• United States: Home to critical national infrastructure and numerous Fortune 500 companies, making it a high-value target for state-sponsored or financially motivated threat actors.
• Mexico: A growing digital economy, often facing sophisticated cyber threats targeting both public and private sectors.
• Colombia: Similar to Mexico, with expanding digital infrastructure that presents new attack surfaces for adversaries.
• Thailand: A hub for technology and tourism in Southeast Asia, with a growing digital footprint that attracts cyber threats.

The concentration in these regions and sectors highlights the strategic nature of the FortiBleed campaign, suggesting an intent to gain access to high-value targets or leverage compromised networks for further malicious activities.

Official Responses and Recommendations

In response to the escalating crisis, various stakeholders have issued statements and recommendations.

Fortinet’s Stance:
A Fortinet spokesperson, in a statement shared with The Hacker News, acknowledged the reports but suggested a different interpretation of the data. Fortinet contended that "the data involved is likely a resharing of data from previous incidents, as well as brute-forcing of credentials, and not related to any current incident or advisory." While encouraging organizations to follow best practices like regularly rotating security credentials and enabling multi-factor authentication (MFA), Fortinet’s statement implies that the breaches might not stem from a newly discovered vulnerability in their products but rather from ongoing credential exploitation. This perspective, while emphasizing user responsibility, contrasts with the more urgent tone from CISA and NCSC, which highlight an active, widespread campaign.

CISA’s Urgent Recommendations:
CISA, taking a proactive stance, provided a detailed list of recommendations for Fortinet customers to harden their defenses against the FortiBleed activity. These recommendations are critical for mitigating the immediate threat and improving overall security posture:

1. Enforce Multi-Factor Authentication (MFA): CISA strongly recommends implementing MFA on all FortiGate accounts. MFA adds an essential layer of security by requiring users to provide two or more verification factors to gain access, making it significantly harder for attackers to compromise accounts even with stolen passwords.
2. Regularly Rotate Credentials: All administrator passwords for FortiGate devices should be rotated frequently. This practice limits the window of opportunity for attackers to use stolen credentials.
3. Disable Inactive Accounts: Any administrative accounts that are no longer in use should be immediately disabled or removed. Unused accounts present unnecessary attack vectors.
4. Monitor for Suspicious Activity: Organizations should actively monitor FortiGate logs for unusual login attempts, unauthorized configuration changes, or any other indicators of compromise. Timely detection is crucial for minimizing damage.
5. Update Firmware and Patches: While Fortinet suggested the issue might not be a new vulnerability, keeping firmware updated is always a critical security practice. Updates often contain patches for known vulnerabilities and improve overall system resilience. CISA’s recommendation implicitly supports ensuring devices are running versions with enhanced hashing mechanisms like PBKDF2.

These measures are foundational cybersecurity best practices that, if consistently applied, can significantly reduce the risk of successful credential-based attacks.

Broader Cybersecurity Implications and Lessons Learned

The FortiBleed incident serves as a stark reminder of several critical challenges in the contemporary cybersecurity landscape:

• The Enduring Problem of Credential Hygiene: The prevalence of compromised generic, built-in, and previously leaked organization-specific accounts underscores the perennial issue of poor password hygiene. Despite years of warnings, organizations continue to struggle with enforcing strong, unique passwords and regular rotation. The human element remains the weakest link in many security chains.
• Perimeter Security as a High-Value Target: Network perimeter devices like firewalls and VPN gateways are prime targets for malicious actors. Gaining control over these devices provides a direct pathway into an organization’s internal network, bypassing layers of internal security. As such, these devices demand the highest level of security scrutiny and management.
• The Power of Automation in Attacks: The fully-automated nature of FortiBleed highlights how threat actors can scale their operations to impact tens of thousands of targets globally with minimal manual effort. Automated scanning and credential spraying tools allow adversaries to identify and exploit weaknesses at an unprecedented pace.
• The Risk of Legacy Systems and Technical Debt: The exploitation of older SHA-256 hashing mechanisms, even after firmware upgrades, points to the dangers of technical debt. Organizations must not only upgrade their systems but also ensure that security enhancements are fully implemented and that legacy vulnerabilities are truly eradicated, often requiring active measures like forcing password changes post-upgrade.
• The Need for Proactive Threat Intelligence and Collaboration: The collaborative efforts of security researchers like Volodymyr Diachenko, intelligence firms like SOCRadar and Hudson Rock, and national agencies like CISA and NCSC were crucial in identifying and publicizing this threat. This incident underscores the importance of a global, collaborative approach to cybersecurity, where intelligence sharing and rapid response are paramount.

In conclusion, the FortiBleed campaign represents a significant and ongoing threat to organizations worldwide. While Fortinet’s statement suggests a focus on user-side credential management, the scale and sophistication of the attack, as described by multiple security intelligence firms and national advisories, indicate a highly organized and effective operation. The incident serves as a critical call to action for all organizations leveraging Fortinet devices, urging them to immediately implement CISA’s recommendations and to fundamentally re-evaluate their credential management policies and perimeter security posture. The battle against sophisticated threat actors exploiting fundamental security weaknesses is continuous, demanding constant vigilance and proactive defense strategies.