Active FortiBleed Campaign Exposes Fortinet Credentials

Active FortiBleed Campaign Exposes Fortinet Credentials image
You are here:

EXECUTIVE SUMMARY

A newly discovered data leak dubbed “FortiBleed” has exposed a collection of Fortinet and FortiGate VPN credentials. The attackers allegedly conducted approximately 1.16 billion credential attempts against 320,777 FortiGate targets and an additional 2.1 billion attempts against 163,650 Microsoft SQL Server systems and has credentials for 73,932 firewall URLs across 194 countries and impacts 21,632 unique domains. It is suggested to have been conducted by a Russian-speaking multi-operator threat group that harvests credentials for FortiGate SSL VPN devices.

  • Affected Region: Global
  • Affected Products: Fortinet and FortiGate SSL VPN Gateways
  • Impact: Compromised Credentials
  • Severity: Critical
  • Published Date: June 17, 2026

TECHNICAL DETAILS

The threat group actively intercepted SSL VPN authentication hashes and cracked them using a massive, dedicated 45-GPU cluster managed via Hashtopolis. Once the perimeter was breached, the operators systematically pivoted directly into internal Active Directory environments to establish deep network persistence. It also has a massive compilation of credentials leaked or stolen from Fortinet devices during prior incidents. A high volume of extremely complex passwords that were successfully compromised.

  • Target: All sectors including government telecommunications, healthcare, education, financial services, and multinational critical infrastructure.
  • Root Cause: The threat actors were able to extract configuration files that were saved using legacy hashing formats that they managed to crack by using a massive 45-GPU cracking cluster managed via Hashtopolis.
  • Prerequisite For Exploitation: Devices that have its FortiGate Management Interface or SSL VPN portal directly accessible to the public internet without MFA,……

Download the Report

Date

Share

Previous Reports