The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert to Fortinet customers, urging immediate action to secure FortiGate appliances against a widespread cyberattack known as ‘FortiBleed.’ This campaign has compromised 86,644 internet-accessible devices as of June 19, 2026.
Security firm SOCRadar reports that the majority of breached credentials involve generic admin accounts (35%) and built-in Fortinet system accounts (28.3%). Organization-specific accounts constitute the remaining 36.7%. This distribution suggests a prevalent failure to rename default accounts or update factory credentials, providing attackers with predictable targets without the need for brute-force methods.
The sectors most affected include telecommunications, government, and education, with significant exposures in countries such as India, the United States, Mexico, Colombia, and Thailand.
The attack methodology involves mass-scanning the internet for Fortinet remote login endpoints, followed by the use of a specialized tool to attempt known login and password combinations. Once access is gained, attackers monitor network traffic to collect additional credentials, facilitating further compromises. The attackers verify each credential before adding it to a database of confirmed, working logins.
Hudson Rock emphasizes the extensive reach of this breach, affecting nearly every sector globally and resulting in a verified database of working credentials for major enterprises.
The U.K. National Cyber Security Centre (NCSC) describes FortiBleed as a global campaign targeting internet-facing Fortinet firewalls and VPN gateways through methods like brute-force attacks, dictionary attacks, and credential stuffing.
It’s suspected that attackers exploited older credential hashing mechanisms and the historical storage methods of credentials within FortiGate configuration files. Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS versions 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism. However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator logs in post-upgrade. Consequently, many organizations may still store administrator credentials using the older SHA-256 with Salt hashing mechanisms.
In response, Fortinet stated that the data involved likely stems from previous incidents and brute-forcing of credentials, not from any current incident or advisory. The company continues to investigate these reports, prioritizing customer security.
This incident underscores the critical importance of regularly updating and securing administrative credentials, especially for internet-facing devices. Organizations should promptly implement Fortinet’s recommended security measures, including upgrading to the latest firmware versions and enforcing strong password policies, to mitigate the risk of such attacks.
