Fortinet "FortiBleed" Global Compromise & Active Exploitation of Fortinet Vulnerabilities
Fortinet "FortiBleed" Global Compromise & Active Exploitation of Fortinet Vulnerabilities
(Updated June 23)
Summary
A large-scale, ongoing intrusion campaign targeting Fortinet infrastructure has been observed impacting internet-facing firewalls and VPN gateways worldwide. The operation, widely referred to as “FortiBleed,” primarily and definitely involves credential reuse, stealing, and brute force. According to Fortinet, “Based on our initial analysis, we believe the activity involves threat actors reusing credentials from previous incidents and employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA).” Other researchers suggest the campaign may also involve the exploitation of a number of recent vulnerabilities affecting Fortinet products to achieve initial access and maintain persistence within enterprise environments, but no clear link has been established to the FortiBleed campaign.
The campaign is notable for its scale and automation. Attackers are not relying on a single exploit path; instead, they use a continuous cycle where stolen credentials, brute-force attempts, and intercepted authentication data are reused to expand access across thousands of organizations globally. This has resulted in widespread compromise affecting tens of thousands of devices across more than 190 countries, including critical infrastructure and major multinational enterprises.
Organizations can check whether their company has been exposed through the FortiBleed lookup tool provided by Hudson Rock, and affected customers are being contacted directly as part of ongoing coordinated disclosure efforts to support remediation and incident response.
Affected Systems and/or Applications
The following systems and applications are impacted or actively targeted. Vulnerabilities listed may have contributed to spreading FortiBleed's reach, but this is unconfirmed and the list is not exhaustive. In any case, it is strongly recommended to ensure these vulnerabilities have been patched.
Core Network Security Infrastructure
- FortiGate (primary target)
- SSL VPN interfaces exposed to the internet
- Administrative web portals of Fortinet devices
Additional Fortinet Security Products
- FortiSandbox
- Actively exploited via multiple critical CVEs:
- CVE-2026-39808 (command injection)
- CVE-2026-39813 (authentication bypass)
- CVE-2026-25089 (remote command execution)
- Actively exploited via multiple critical CVEs:
- FortiClient EMS
- Vulnerabilities observed in active exploitation campaigns:
- CVE-2026-21643
- CVE-2026-35616
- Vulnerabilities observed in active exploitation campaigns:
Supporting / Secondary Targets
- Microsoft SQL Server environments (2.1B+ brute-force attempts observed)
- Internal Active Directory environments (post-compromise pivot targets)
- Enterprise VPN authentication systems across multiple vendors (credential reuse expansion)
Technical Details
The intrusion chain typically begins with large-scale internet scanning to identify exposed Fortinet devices. Once discovered, attackers attempt authentication using vast datasets of previously leaked credentials, many of which originate from infostealer malware infections or older breaches. This credential-stuffing phase alone accounts for billions of login attempts, indicating a highly automated infrastructure designed for continuous exploitation.
When credentials are insufficient, attackers escalate by attempting brute-force authentication or, possibly in a subset of cases, exploiting known vulnerabilities in Fortinet products. Recently patched flaws - such as authentication bypass and remote command execution vulnerabilities in FortiSandbox and FortiClient EMS - are actively being weaponized in the wild, though again, there is no definitive link to FortiBleed. Some exploit attempts appear to be rapidly generated or AI-assisted, although not all are immediately functional.
A particularly concerning aspect of this campaign is the interception of SSL VPN authentication data. Attackers capture authentication material during login sessions and then crack it offline using GPU-accelerated systems. Once valid access is obtained, compromised devices are used as monitoring points inside enterprise perimeters, allowing attackers to observe network traffic and harvest additional credentials.
Post-exploitation activity typically involves persistence within VPN and firewall management interfaces, followed by lateral movement into internal systems such as Active Directory. In addition to building a catalogue of compromised organizations intended to be sold, this enables the attackers to escalate privileges, move across internal segments, and extract sensitive data. In several documented cases, organizations experienced full network compromise and data exfiltration, including entities in critical infrastructure and defense-related sectors.
Mitigation
Organizations should immediately implement the following defensive measures:
- Immediately rotate all VPN, firewall, and administrative credentials associated with Fortinet infrastructure, especially where reuse across systems may have occurred.
- Enforce Multi-Factor Authentication (MFA) on all VPN access points and administrative interfaces without exception.
- Apply the latest security patches for all Fortinet products, particularly FortiGate, FortiSandbox, and FortiClient EMS, prioritizing vulnerabilities related to authentication bypass and remote code execution.
- Restrict exposure of VPN and management interfaces by limiting access to trusted IP ranges or internal networks only.
- Review authentication and firewall logs for anomalies such as unusual geolocations, repeated login failures, or unexpected administrative activity.
- Assume potential compromise for any internet-exposed Fortinet system without MFA and up-to-date patching, and initiate incident response procedures where exposure is confirmed or suspected.
IoCs
Accounts present on Fortinet devices:
Credentials associated with FortiBleed include default accounts as well as those of indeterminate origin - possibly used by MSPs to manage deployments, possibly created for persistence by campaign operators - like adminin, fgtsecure and many others. A small set of passwords appears across many unrelated brands and localities. For a more complete overview of this aspect of the campaign and in the interest of not re-publicizing possibly valid credentials in an easily scrapable format, have a look at CloudSEK's analysis of the open directory which was accidentally left exposed by FortiBleed operators.
IP addresses:
References
- FortiBleed: 75,000 Fortinet Firewalls Compromised: Global Enterprises Exposed – Claim Your Ethical Disclosure | Hudson Rock
- 3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker Crosshairs - SecurityWeek
- https://www.helpnetsecurity.com/2026/04/16/fortinet-fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808/
- Vendor Advisories and Patches: PSIRT Advisories | FortiGuard Labs
- Analysis of Reported Credential Compromise of FortiGate Devices | Fortinet Blog
- FortiBleed: Everything You Need to Know
- Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind | CloudSEK

.avif)


.webp)


.webp)
.webp)