FortiBleed: 73,000+ Fortinet Firewalls Compromised in Massive Credential-Harvesting Campaign

Exploitation Method: No Zero-Days, Just Poor Hygiene

Despite the name evoking Heartbleed, FortiBleed has nothing to do with a software vulnerability. Multiple security firms — including TechCrunch, SOCRadar, Hudson Rock, and Arctic Wolf — confirmed that no unknown vulnerabilities (zero-days) were used .

Instead, the attackers followed a two-step supply-chain approach:

• Step 1: Harvest credentials from infostealer malware. Credentials for Fortinet admin interfaces and VPN portals were initially stolen from employee and administrator machines infected with infostealer malware .
• Step 2: Crack password hashes from exposed configs. Once attackers gained initial access, they extracted configuration files from internet-facing FortiGate devices and cracked the stored SSL VPN password hashes using a 45-GPU cluster, exploiting weak or unrotated passwords .

SOCRadar confirmed the attackers amassed at least 30,791 verified working credentials from internet-facing FortiGate devices . Arctic Wolf's analysis independently confirmed the estimates of compromised devices range between 30,000 and 75,000 .

High-Profile Victims

Confirmed victims named across multiple reports include Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC, along with government agencies in at least 15 nations . Reuters reported the majority of compromised devices were located in the United States, India, and Taiwan .

Hardest-hit industries, according to analyzed data, were:

• IT services (managed service providers, cloud operations)
• Construction materials (large multinational suppliers)
• Telecommunications (tier-1 carriers and ISPs)

Multiple sources identify these as the three most impacted verticals .

Related Simultaneous Attacks

Concurrently with FortiBleed, researchers observed 2.1 billion brute-force login attempts against more than 160,000 internet-exposed MSSQL servers, believed to be operated by the same threat cluster .

Attribution

Both SOCRadar and Hudson Rock attribute the campaign to a Russian-speaking multi-operator threat group . The attackers maintained active back-end infrastructure — including cron jobs, telemetry, and live credential-harvesting loops — on compromised devices, indicating a sophisticated, ongoing operation rather than a one-time data grab .

Recommended Response

Security firms including Hudson Rock, Arctic Wolf, and Fortinet recommend the following immediate actions for any organization using Fortinet devices:

• Force immediate credential rotation for all FortiGate admin and SSL VPN accounts .
• Enforce multi-factor authentication (MFA) on every VPN login — this is the single most effective control against credential-stuffing attacks .
• Audit device logs for unauthorized configuration exports, unknown cron jobs, and anomalous VPN sessions .
• Restrict management interface access to trusted IPs only; never leave the admin UI or SSH exposed to the public internet .

Free Exposure Lookup Portal

Hudson Rock launched a free lookup portal allowing any organization to search their domain against the 73,932-device credential dump. This tool was publicized widely on June 17–18, 2026 .