FortiBleed Campaign Targets 430,000 FortiGate Firewalls and Exposes Millions of Credentials
8 min. read 
Published on
A large credential-harvesting campaign known as FortiBleed has targeted more than 430,000 FortiGate firewalls globally, according to SOCRadar’s Dismantling FortiBleed report.
The campaign did not rely on one new Fortinet zero-day. Fortinet said the activity involves threat actors reusing credentials from previous incidents and brute-forcing accounts on devices with weak password hygiene or no multi-factor authentication.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
SOCRadar says the operation has been active since at least February 2026 and is likely tied to a financially motivated initial access broker with Russian-language indicators. The goal is simple: turn exposed edge devices into places where attackers can capture, crack, validate, and reuse credentials.
FortiBleed turns firewalls into credential collection points
FortiGate firewalls sit at the edge of many enterprise networks, where they can see authentication traffic moving between users, VPNs, internal services, and business systems. That position makes them valuable to defenders, but dangerous if attackers gain administrative access.
SOCRadar says the attackers used a Golang-based tool called FortigateSniffer. The tool abuses the legitimate FortiOS diagnostic command diagnose sniffer packet to passively monitor traffic and extract authentication material from multiple protocols.
According to the research, the operation monitored 24 protocols and fed stolen credentials and hashes into an offline cracking workflow using Hashcat, Hashtopolis, and GPU infrastructure. The campaign then used recovered credentials for further access, Active Directory activity, and data theft.
| FortiBleed detail | What was reported | Why it matters |
|---|---|---|
| Target scope | More than 430,000 FortiGate firewalls targeted | Shows global scale, but not all targets were confirmed compromised |
| Credential volume | More than 110 million credentials identified across harvest cycles | Creates serious reuse and lateral movement risk |
| Main tool | FortigateSniffer | Turns a compromised firewall into a passive credential collector |
| Technique | Uses FortiOS diagnostic packet sniffing | Abuses a legitimate administrative capability |
| Likely actor type | Financially motivated initial access broker | Stolen access can later be sold to ransomware or intrusion groups |
The campaign started with exposed devices and weak access controls
The FortiBleed activity began with large-scale reconnaissance. Attackers used scanning tools to identify exposed FortiGate devices and then attempted to validate access with leaked, reused, or guessed credentials.
Earlier reporting from Recorded Future described a dataset containing valid administrative and SSL VPN credentials for approximately 73,932 FortiGate firewall URLs across 194 countries. The same summary said security researchers validated parts of the dataset.
The number is smaller than the later 430,000 target figure because the figures describe different parts of the operation. One refers to a leaked dataset and confirmed exposure, while the larger number refers to the wider targeting pool discussed in SOCRadar’s deeper investigation.
- Attackers scanned the internet for exposed FortiGate systems.
- They tried credentials from earlier incidents and brute-force attempts.
- They gained administrative access where passwords, exposure, and MFA gaps allowed it.
- They deployed FortigateSniffer to capture live authentication traffic.
- They cracked hashes and reused recovered credentials for additional access.
SOCRadar describes a five-stage attack chain
The campaign followed a structured path from reconnaissance to credential harvesting and exfiltration. It looked less like a one-time leak and more like an industrialized access operation.
In the first stage, attackers gathered targets and credential material. In the second, they tested access against exposed services, including FortiGate devices and other systems. In the third, they deployed sniffers to capture authentication traffic.
The later stages focused on cracking and reuse. The attackers processed hashes offline, used recovered credentials to access Active Directory and other services, and then stole data from network shares or hijacked authenticated sessions.
| Attack phase | Observed activity |
|---|---|
| Reconnaissance | Mass scanning, exposed-service discovery, and target profiling |
| Initial access | Credential stuffing, brute-force attempts, and validation against exposed systems |
| Traffic harvesting | Use of FortigateSniffer to capture authentication traffic on compromised devices |
| Credential exploitation | Hash cracking, password reuse, and Active Directory enumeration |
| Data theft | Session hijacking, SMB or DFS access, and exfiltration from internal resources |
Fortinet says this is not a new Fortinet vulnerability
Fortinet’s response is important because some headlines make FortiBleed sound like a fresh device exploit. The company says its initial analysis points to reused credentials and brute-force techniques rather than a new Fortinet vulnerability.
In its FortiBleed analysis, Fortinet recommended terminating all admin and VPN sessions, resetting Fortinet VPN and administrator passwords, enforcing MFA, and upgrading to current FortiOS versions that support stronger administrator credential hashing.
That does not reduce the urgency for customers. Edge devices are high-value targets because a single compromised firewall can expose credentials, VPN access, internal routes, and trusted management pathways.
Small and midsize organizations appear heavily exposed
SOCRadar’s victimology points to a heavy focus on small and midsize organizations. The report says companies with fewer than 200 employees make up a large share of affected victims, with IT services also standing out as a key sector.
This targeting makes sense for an access broker. Smaller companies may run enterprise-grade firewalls but lack the staff and telemetry needed to detect credential capture on a perimeter device. IT service providers can also create downstream paths into customer environments.
TechCrunch reported that FortiBleed appears to involve exposed devices, old or reused credentials, and inadequate password rotation, rather than exploitation of an unknown vulnerability.
| Organization risk factor | Why FortiBleed can exploit it |
|---|---|
| Internet-exposed management interfaces | Attackers can find and test devices at scale |
| Weak or reused passwords | Credential stuffing and brute-force attempts become more effective |
| No MFA on admin or VPN accounts | A stolen password may be enough to gain access |
| Limited firewall telemetry | Packet sniffing and suspicious admin activity can go unnoticed |
| Service provider access | One compromise can create paths into multiple customer networks |
Why the 110 million credential figure is so serious
The 110 million figure does not mean 110 million unique users were breached. SOCRadar describes it as credentials identified across hundreds of harvesting cycles, including RADIUS, NTLM, Kerberos, and database authentication material.
That still creates major risk. Even a smaller number of valid credentials can help attackers move deeper into a network, access VPNs, enumerate Active Directory, reach file shares, or sell access to another criminal group.
The SOCRadar investigation also says the actor used GPU cracking infrastructure and automation to process captured authentication material at scale. This turns raw network captures into working passwords, hashes, or session access.
What defenders should do now
Organizations using FortiGate should treat the situation as an identity and edge-device security event. Patching matters, but FortiBleed also requires password resets, MFA enforcement, exposure reduction, and log review.
Recorded Future’s FortiBleed summary advised organizations to verify exposure immediately and rotate credentials. That advice applies especially to FortiGate admin accounts, VPN accounts, and any internal accounts that may have crossed affected devices in cleartext or reusable authentication flows.
Security teams should also assume that credentials captured at the firewall edge may have been reused elsewhere. That means checking Active Directory, VPN, RADIUS, NTLM, Kerberos, database services, and remote access logs for unusual authentication patterns.
- Terminate all active FortiGate admin and VPN sessions.
- Reset all Fortinet VPN and administrator credentials.
- Enable MFA for administrator and VPN accounts.
- Remove management interfaces from direct internet exposure.
- Upgrade FortiOS to supported current versions.
- Review SSH access to FortiGate devices for unusual activity.
- Search for FortigateSniffer artifacts and suspicious packet-sniffing behavior.
- Hunt for RADIUS, NTLM, Kerberos, SMB, DFS, and session-cookie misuse.
- Check whether service-provider accounts can access customer environments.
The broader lesson from TechCrunch’s coverage and the threat-intelligence reports is that perimeter devices are not just security appliances. Once compromised, they can become credential collection systems that help attackers move from one victim to the next.
FAQ
FortiBleed is a large credential-harvesting campaign targeting FortiGate firewalls and other exposed services. Researchers say attackers used stolen or guessed credentials to access devices, deploy sniffing tools, capture authentication traffic, and reuse recovered credentials.
SOCRadar says the operation targeted more than 430,000 FortiGate firewalls. That does not mean every one of those devices was confirmed compromised. Earlier public datasets and reports described smaller confirmed exposure figures.
Fortinet says its initial analysis does not link FortiBleed to a new Fortinet vulnerability or recent advisory. The company says attackers appear to be reusing credentials from previous incidents and brute-forcing accounts on devices with weak password hygiene and no MFA.
FortigateSniffer is a Golang-based tool described by SOCRadar. It abuses FortiOS packet-sniffing diagnostics on compromised devices to capture authentication traffic and extract credentials or hashes from multiple protocols.
Organizations should reset FortiGate VPN and administrator passwords, terminate active sessions, enable MFA, remove management interfaces from direct internet exposure, upgrade FortiOS, review SSH access, and monitor for suspicious credential use across VPN, RADIUS, NTLM, Kerberos, SMB, and Active Directory systems.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages