The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices.
The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed. The number of compromised devices stands at 86,644 as of June 19, 2026.
According to data from SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. Organization-specific accounts account for 36.7% of the remaining breached credentials.
“This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed,” SOCRadar said.
“Org-specific accounts topping the list is significant. It means the attacker is not just harvesting default credentials but has also successfully compromised accounts created by the organizations themselves, possibly sourced from prior breaches where passwords were never changed.”
Telecom, government, and education have emerged as the top three impacted sectors, with the most exposures located in India, the U.S., Mexico, Colombia, and Thailand.
The threat actor is said to have mass-scanned the internet for Fortinet remote login endpoints, and then employed a bespoke tool to spray those identified endpoints with known login and password combinations in an attempt to break into them.
The fully-automated attack is built around a self-sustaining, two-step approach –
- The threat actor attempts a curated list of leaked Fortinet passwords against devices across the internet.
- Once access is obtained, they passively monitor network traffic going through the devices to collect additional credentials, which are then used to compromise more appliances.
The credentials are legitimate and valid, with the attackers verifying each of them before they are added to a database of confirmed, working logins.
“The scale of this breach touches nearly every sector of the global economy, sparing no industry,” Hudson Rock said. “The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet.”
The U.K. National Cyber Security Centre (NCSC) has described FortiBleed as a global campaign targeting internet-facing Fortinet firewalls and VPN gateways using methods like brute-force, dictionary attack, and credential stuffing.
It’s suspected that the threat actors likely exploited older credential hashing mechanisms and the way credentials have historically been stored within FortiGate configuration files to pull off the large-scale attack.
“Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism,” Arctic Wolf said. “However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade.”
“As a result, many organizations likely continue to store administrator credentials using older SHA-256 with Salt hashing mechanisms.”
In a statement shared with The Hacker News, a Fortinet spokesperson said “the data involved is likely a resharing of data from previous incidents, as well as brute-forcing of credentials, and not related to any current incident or advisory,” urging organizations to follow best practices, including regularly rotating security credentials and enabling multi-factor authentication (MFA).
CISA has outlined the following recommendations to defend against the activity –
- Terminate all active SSL VPN and administrative sessions, reset all Fortinet VPN and administrative passwords, especially on internet-facing systems, and enforce strong password policies.
- Ensure use of the Password-Based Key Derivation Function 2 (PBKDF2) algorithm to store administrator credentials and remove weaker legacy hashes.
- Review firewall, VPN, authentication, and domain controller logs for signs of suspicious actions, including unauthorized configuration changes.
- Enable phishing-resistant MFA on all external gateways and administrative interfaces.
- Reduce the attack surface and lock down management.
The FortiBleed incident first came to light last week after security researcher Volodymyr “Bob” Diachenko discovered a server containing the database of working login credentials for thousands of firewalls and VPN gateways across 194 countries. Per SOCRadar, the server also staged the attacker’s tools and automation scripts.
The findings once again demonstrate how credential reuse and poor password hygiene can be weaponized by malicious actors, not to mention that perimeter security appliances remain a lucrative target for gaining initial access to enterprise environments.
