A significant cybersecurity incident, dubbed “FortiBleed,” has compromised over 75,000 Fortinet FortiGate firewalls worldwide. This large-scale credential harvesting operation has exposed numerous organizations to potential network intrusions and data breaches.
The campaign, active since February 2026, involves attackers collecting credential lists, scanning for exposed services, and brute-forcing accessible systems. Once access is gained, they deploy custom sniffers on compromised firewalls to capture cleartext and hashed credentials from network traffic. These credentials are then cracked, validated, and reused against Active Directory domains and other exposed services.
Central to this operation is a Golang-based tool called FortigateSniffer. This tool exploits FortiOS’s built-in diagnostic commands to passively capture authentication traffic across 24 protocols, including TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, and RADIUS. By monitoring this traffic, attackers can extract sensitive credentials without triggering standard security alerts.
Security researchers have identified that the threat actors behind FortiBleed are likely Russian-speaking and financially motivated. Their targeting strategy focuses heavily on small and medium-sized businesses (SMBs) with fewer than 200 employees, particularly in the United States and India. The IT services sector appears to be a primary target, potentially allowing attackers to gain downstream access to customer environments through compromised service providers.
Further analysis reveals that FortiBleed is part of a broader, multi-vendor initial access operation. Since late February 2026, attackers have been using automated brute-force attacks to compromise not only Fortinet devices but also Synology NAS systems, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers. Between May 31 and June 15, 2026, the attackers launched at least 659 credential-harvesting pipelines, resulting in the identification of over 110 million credentials. This includes 14.8 million RADIUS credentials, 924,000 NTLM hashes, 130,000 Kerberos hashes, and 89 million MySQL authentication tokens.
The FortiBleed campaign unfolds in five stages:
- Reconnaissance: Utilizing tools like Masscan and Shodan to identify vulnerable internet-facing FortiGate firewalls. Custom utilities such as FortiProbe-fast and GeoSplit are used to filter and group these systems by country.
- Compromise: Deploying a credential checker named “forticheck” to target FortiGate’s administrative panel and SSL-VPN portal. Attackers also use tools to obtain administrative SSH access via credential stuffing and dictionary attacks.
- Credential Harvesting: Once SSH access is established, FortigateSniffer is deployed to intercept authentication traffic across multiple protocols, harvesting cleartext credentials and password hashes.
- Credential Cracking and Validation: Extracted credentials are cracked and validated, allowing attackers to gain further access to internal systems.
- Exploitation: Validated credentials are used to access Active Directory domains and other exposed services, facilitating deeper network penetration.
Organizations using Fortinet devices are urged to take immediate action to mitigate the risks associated with FortiBleed. Recommended steps include:
- Credential Rotation: Change all administrative and VPN passwords, especially those that have not been updated recently.
- Enable Multi-Factor Authentication (MFA): Implement MFA for all administrative and remote access accounts to add an extra layer of security.
- Restrict Internet Access: Limit internet exposure of management interfaces to reduce the attack surface.
- Monitor for Unauthorized Access: Review login histories and system logs for any signs of unauthorized access or unusual activity.
- Update Firmware: Ensure that all FortiOS devices are updated to the latest versions to benefit from security patches and improvements.
The FortiBleed incident underscores the critical importance of proactive cybersecurity measures. Organizations must prioritize regular credential updates, implement robust authentication mechanisms, and continuously monitor their networks for potential threats. As attackers employ increasingly sophisticated methods, maintaining vigilance and adhering to best practices are essential to safeguarding sensitive information and maintaining operational integrity.
