Summary

A large-scale, ongoing intrusion campaign targeting Fortinet infrastructure has been observed impacting internet-facing firewalls and VPN gateways worldwide. The operation, often referred to as "FortiBleed," combines credential-based attacks, automated exploitation, and active vulnerability abuse to achieve initial access and maintain persistence within enterprise environments.

The campaign is notable for its scale and automation. Attackers are not relying on a single exploit path; instead, they use a continuous cycle where stolen credentials, brute-force attempts, and intercepted authentication data are reused to expand access across thousands of organizations globally. This has resulted in widespread compromise affecting tens of thousands of devices across more than 190 countries, including critical infrastructure and major multinational enterprises.

Organizations can check whether their company has been exposed through an available verification tool provided by researchers (FortiBleed Tool Checker), and affected customers are being contacted directly as part of ongoing coordinated disclosure efforts to support remediation and incident response.

Affected Systems and Applications

Core Network Security Infrastructure

• FortiGate (primary target)
  • SSL VPN interfaces exposed to the internet
  • Administrative web portals of Fortinet devices

Additional Fortinet Security Products

FortiSandbox — Actively exploited via multiple critical CVEs:

FortiClient EMS — Vulnerabilities observed in active exploitation campaigns:

Supporting / Secondary Targets

• Microsoft SQL Server environments (2.1B+ brute-force attempts observed)
• Internal Active Directory environments (post-compromise pivot targets)
• Enterprise VPN authentication systems across multiple vendors (credential reuse expansion)

Technical Details

The intrusion chain typically begins with large-scale internet scanning to identify exposed Fortinet devices. Once discovered, attackers attempt authentication using vast datasets of previously leaked credentials, many of which originate from infostealer malware infections or older breaches. This credential-stuffing phase alone accounts for billions of login attempts, indicating a highly automated infrastructure designed for continuous exploitation.

When credentials are insufficient, attackers escalate by attempting brute-force authentication or exploiting known vulnerabilities in Fortinet products. Recently patched flaws — such as authentication bypass and remote command execution vulnerabilities in FortiSandbox and FortiClient EMS — are actively being weaponized in the wild. Some exploit attempts appear to be rapidly generated or AI-assisted, although not all are immediately functional.

A particularly concerning aspect of this campaign is the interception of SSL VPN authentication data. Attackers capture authentication material during login sessions and then crack it offline using GPU-accelerated systems. Once valid access is obtained, compromised devices are used as monitoring points inside enterprise perimeters, allowing attackers to observe network traffic and harvest additional credentials.

Post-exploitation activity typically involves persistence within VPN and firewall management interfaces, followed by lateral movement into internal systems such as Active Directory. This enables attackers to escalate privileges, move across internal segments, and extract sensitive data. In several documented cases, organizations experienced full network compromise and data exfiltration, including entities in critical infrastructure and defense-related sectors.

Mitigation

Organizations should immediately implement the following defensive measures:

1. Rotate all credentials — Immediately rotate all VPN, firewall, and administrative credentials associated with Fortinet infrastructure, especially where reuse across systems may have occurred.
2. Enforce Multi-Factor Authentication (MFA) — Enable MFA on all VPN access points and administrative interfaces without exception.
3. Apply latest security patches — Patch all Fortinet products, particularly FortiGate, FortiSandbox, and FortiClient EMS, prioritizing vulnerabilities related to authentication bypass and remote code execution.
4. Restrict interface exposure — Limit access to VPN and management interfaces to trusted IP ranges or internal networks only.
5. Review logs for anomalies — Audit authentication and firewall logs for unusual geolocations, repeated login failures, or unexpected administrative activity.
6. Assume potential compromise — Treat any internet-exposed Fortinet system without MFA and up-to-date patching as potentially compromised, and initiate incident response procedures where exposure is confirmed or suspected.

References

• FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure | Hudson Rock
• 3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker Crosshairs — SecurityWeek
• HelpNet Security: Fortinet FortiSandbox Vulnerabilities (CVE-2026-39813, CVE-2026-39808)
• Vendor Advisories and Patches: PSIRT Advisories | FortiGuard Labs

‍