URGENT Security Alert: FortiBleed — 86,000 Fortinet Firewalls Compromised in Massive Credential Theft Campaign
**Published: June 27, 2026 | Litzsey Tech Services**
**If your business uses a Fortinet FortiGate firewall or VPN, stop what you're doing and read this. Your admin credentials may already be in the hands of attackers.**
---
## What Happened
A large-scale credential theft campaign — dubbed **FortiBleed** — has compromised verified administrator credentials for over **86,644 Fortinet FortiGate firewalls** across **194 countries**. That represents roughly **half of all internet-facing FortiGate devices worldwide**.
The campaign was first discovered on June 13, 2026 by security researcher Volodymyr "Bob" Diachenko, who found an exposed threat-actor server containing a growing database of working login credentials for thousands of firewalls and VPN gateways. By June 19, the confirmed count had swelled to over 86,000 devices.
**CISA (the Cybersecurity and Infrastructure Security Agency) issued an emergency advisory on June 18, urging all Fortinet customers to take immediate hardening action.** The U.K.'s National Cyber Security Centre (NCSC) has also issued warnings, describing FortiBleed as a global campaign.
**A note on scale:** the 86,644 figure is the verified, confirmed-working credential count as of June 19. Some researchers tracking the broader operation describe a much larger footprint — over 320,000 FortiGate targets hit with credential-stuffing attempts, and one report citing 430,000+ devices in scope with active sniffing tools still running on tens of thousands of them. Treat 86,644 as a floor, not a ceiling, and assume this campaign is still active rather than closed.
---
## Who Is Behind It
Security researchers have linked the campaign to **Russian-speaking threat actors** who have been specifically targeting organizations connected to NATO. One confirmed victim includes a Turkish defense contractor working with NATO.
But this isn't just a government problem. The compromised devices span every sector — **telecom, government, education, healthcare, and small businesses** — across 194 countries, with heavy concentrations in the U.S., India, Mexico, Colombia, and Thailand.
---
## How the Attack Works
Here's what makes FortiBleed especially dangerous: **there is no software vulnerability to patch.** This is a credential-based attack that exploits weak password practices.
Here's how the attackers pulled it off:
1. **Mass scanning**: The attackers scanned the entire internet for Fortinet remote login endpoints — the admin consoles and SSL VPN portals that many businesses leave exposed to the internet.
2. **Credential spraying**: Using a custom-built tool, they sprayed those endpoints with known login and password combinations — targeting default accounts like `admin` and factory credentials that were never changed.
3. **Configuration file theft**: Once they got in, they downloaded device configuration backup files, which contain stored password hashes.
4. **Offline cracking**: Using GPU-powered cracking rigs, they broke the stored SHA-256 password hashes. Older versions of FortiOS stored credentials using weaker SHA-256 hashing instead of the stronger PBKDF2 algorithm introduced in late 2025.
5. **Living off compromised gear**: Beyond the initial break-in, attackers turned each compromised firewall into a listening post — quietly watching traffic pass through the device to scoop up still more usernames and passwords. Those fresh credentials then became the key to the next firewall, and the one after that. It's less a single break-in than a chain reaction that keeps feeding itself.
**The result?** A verified database of over 86,644 confirmed working credentials. Approximately **63% of the compromised accounts were default Fortinet system accounts or generic admin accounts that had never been renamed.**
---
## Why This Matters for Small Businesses
FortiGate is one of the **most popular firewall platforms in the small and mid-size business market**. If you're a small business using a Fortinet firewall — whether it's managed by an IT provider or set up years ago — you could be affected.
If attackers have valid credentials for your firewall, they can:
- **Bypass all your security controls** and walk straight into your network
- **Access your VPN** and connect as if they were a trusted employee
- **Change firewall rules** to open backdoors for future access
- **Monitor your network traffic** to steal additional credentials, customer data, or financial information
- **Deploy ransomware** or other malware from inside your network perimeter
This is not theoretical. CISA has confirmed **active exploitation** — meaning attackers are already using these credentials.
---
## What You Need to Do RIGHT NOW
These aren't items to schedule for next sprint. CISA, the NCSC, and Fortinet are all telling customers to treat this as an emergency response, today:
### 1. Kill Active Sessions First
Before you change a single password, log out every active SSL VPN and admin session on your FortiGate. A password reset doesn't help if an attacker already has an open, authenticated session — cutting that off is step one.
### 2. Reset Every Password — Not Just the Obvious Ones
Go through the device account by account:
- The default `admin` account, if it's still there (it shouldn't be)
- Every built-in system account
- Every org-specific admin account you've created
- Every SSL VPN user account
Use long, randomly generated passwords — 16 characters minimum — and don't reuse anything from another system.
### 3. Turn On MFA Everywhere
Multi-factor authentication on every admin and VPN account. A stolen password alone shouldn't be enough to get in — make MFA the second lock on the door.
### 4. Get on a PBKDF2-Capable FortiOS Build — and Actually Log In After
Upgrade to FortiOS 7.2.11, 7.4.8, 7.6.1, or later — these are the builds that switched from the old SHA-256 hashing to the much harder-to-crack PBKDF2. Here's the part people miss: the upgrade alone doesn't re-hash anyone's password. Each administrator has to log back in after the upgrade for their credential to actually convert from the old, crackable format to the new one.
### 5. Pull the Management Console Off the Public Internet
If there's one change that does the most good, it's this one: your FortiGate admin console and SSH access have no business being reachable from the open internet. Lock them down to an internal network, a bastion host, or another out-of-band path.
### 6. Go Hunting in Your Logs
Pull your FortiGate, VPN, authentication, and domain controller logs and look for:
- Admin logins from IPs you don't recognize
- Accounts that showed up without your sign-off
- Configuration changes nobody on your team made
- VPN connections from places your team doesn't operate
### 7. Assume Your Backups Are Compromised Too
Got FortiGate configuration backups sitting somewhere? Those files carry the same crackable password hashes the attackers are after. Lock down access to those backups like you would the live
---
*This alert is based on advisories from CISA, the U.K. NCSC, and research from SOCRadar, Arctic Wolf, Bitdefender, and independent security researchers. Sources: [CISA Advisory (June 2026)](https://www.cisa.gov), [Cybersecurity Dive](https://www.cybersecuritydive.com/news/cisa-device-hardening-thousands-fortinet-credentials-compromised/823397/), [SecurityWeek](https://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/), [Bitdefender](https://businessinsights.bitdefender.com/technical-advisory-fortibleed-credential-exposure-campaign-targeting-internet-facing-fortinet-devices).*
---
**Tags:** #Cybersecurity #FortiBleed #Fortinet #CISA #SmallBusiness #MSP #NetworkSecurity #Firewall
