Hackers Use FortigateSniffer to Turn FortiGate Firewalls Into Password Collectors
6 min. read 
Published on
Security researchers say hackers are using a custom tool called FortigateSniffer to turn compromised FortiGate firewalls into passive credential collectors.
The tool does not need to exploit a new Fortinet flaw once attackers already have access. Instead, it abuses legitimate FortiOS packet-sniffing functions to watch authentication traffic moving through the firewall and collect passwords, hashes, tickets, and session material.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The activity forms part of the wider FortiBleed campaign. SOCRadar’s public FortiBleed analysis lists 86,644 confirmed working credentials across 194 countries, while a separate SOCRadar report says the broader FortigateSniffer operation targeted more than 430,000 FortiGate firewalls and exposed more than 110 million credentials.
Fortinet says the activity is not tied to a new vulnerability or recent advisory. The company says attackers appear to be reusing credentials from earlier incidents and using brute-force techniques against devices with weak password hygiene and no multi-factor authentication.
Government agencies have also warned customers to harden exposed Fortinet devices. CISA urged organizations to secure Fortinet devices after reports of credential exposure, while the UK’s NCSC said firewalls and VPN gateways have faced global targeting.
How FortigateSniffer Works
FortigateSniffer becomes dangerous after attackers obtain valid access to a FortiGate device. SOCRadar says the tool abuses the FortiOS diagnose sniffer packet function to monitor traffic passing through a compromised firewall.
That gives attackers visibility into authentication flows that should normally pass through the edge device without exposure. The tool can collect material from multiple protocols, including RADIUS, NTLM, Kerberos, LDAP, RDP, SMB, MSSQL, FTP, Telnet, and WinRM.
After collection, the captured terminal output can be converted into packet capture files for deeper analysis. The attackers can then extract cleartext credentials, NTLMv2 hashes, Kerberos tickets, and session cookies for later use.
| Component | Reported role | Why it matters |
|---|---|---|
| FortigateSniffer | Passive traffic collection on compromised firewalls | Turns a perimeter device into a credential collection point |
| Credential brute forcing | Tests known or weak passwords against exposed Fortinet services | Helps attackers gain initial access without a new zero-day |
| Hash cracking | Uses GPU infrastructure to recover usable passwords | Can turn stolen hashes into working logins |
| Session reuse | Uses stolen cookies or tickets to maintain access | Can help attackers move deeper into victim networks |
Why FortiBleed Is a Serious Risk
Firewalls and VPN gateways sit at the edge of corporate networks. If attackers control those devices, they can do more than steal one account. They can observe access patterns, collect authentication data, create persistence, and use trusted infrastructure to move toward internal systems.
SOCRadar’s FortiBleed analysis says the exposed dataset contains verified working usernames and passwords. The company advises affected organizations to treat their perimeter as compromised and act immediately.
The NCSC’s alert says a threat actor leaked a database of credentials after brute-force, dictionary, and credential-stuffing attempts against internet-facing FortiGate and VPN portals. It also tells organizations to investigate suspicious activity and follow mitigation steps quickly.
The same concern appears in CISA’s hardening alert, which focuses on reducing the risk from exposed Fortinet devices after the credential reports. For defenders, the core issue is simple: valid credentials can bypass many security controls that focus only on malware or exploit activity.
What Organizations Should Do Now
Fortinet’s guidance recommends immediate action for potentially affected customers, especially those with internet-facing FortiGate appliances, VPN portals, or exposed management interfaces.
- Terminate active administrator and VPN sessions.
- Reset Fortinet VPN, administrator, API, and service-account passwords.
- Enable multi-factor authentication for all administrator and VPN accounts.
- Upgrade FortiGate devices to supported FortiOS versions that use stronger administrator credential hashing.
- Review configurations for unauthorized accounts, password resets, or policy changes.
- Check logs for unexpected administrator access, unknown IP addresses, and lateral movement indicators.
- Remove public internet access to management interfaces wherever possible.
- Investigate any reused credentials on other edge devices and internal services.
Organizations should not assume that password rotation alone solves the issue if logs show evidence of configuration changes, new accounts, or persistence. In those cases, responders should preserve evidence, isolate the device, investigate lateral movement, and rebuild or reset the appliance according to vendor guidance.
Key Indicators Reported in the Campaign
SOCRadar’s reporting also includes infrastructure and file indicators linked to the FortigateSniffer operation. Security teams can use these indicators for threat hunting, but they should not rely on them alone because attackers can change infrastructure quickly.
| Category | Indicator |
|---|---|
| Aggregator or C2 | 85.11.187[.]8 |
| Pentest lab host | 193.8.187[.]2 |
| Credential validation | 193.8.187[.]42 |
| Sniffer node | 193.8.187[.]26 |
| Sniffer node | 194.113.39[.]71 |
| Sniffer node | 77.91.122[.]13 |
| fg_sniffer_linux_amd64 SHA256 | 4d0b62d3162d4be391e3ba1e191dad28e5e5d5b161cfdef60eeb4361a92d8413 |
| fg_sniffer_windows_amd64.exe SHA256 | 80d83eb01f28c87a61b51f1f83805e63a791905f019bd3b87f10a10f66efab1e |
| mpbrute2.bin SHA256 | 2c98c86e6bd6f46cbd6c89d855541b9da91515b1bb986641a77e31c5c6aa2abb |
| forticheck SHA256 | a8b09fd4f7ff2f298b45ca602992f44b3c2ac3746bcdb182c59ab2a20c690954 |
Fortinet Says This Is Not a New Zero-Day
The most important distinction for customers is that this does not currently look like a newly disclosed Fortinet zero-day. The public evidence points to credential reuse, brute forcing, exposed management surfaces, and previously compromised credential material.
That does not make the campaign less serious. A valid firewall or VPN login can give attackers the same practical result as an exploit: access to a trusted device at the edge of the network.
For security teams, the priority is to confirm exposure, rotate credentials, enforce MFA, review device configuration, update firmware, and reduce the number of Fortinet services reachable from the public internet.
FAQ
FortigateSniffer is a custom Golang-based tool that can turn a compromised FortiGate firewall into a passive credential collector. It abuses legitimate FortiOS packet-sniffing functionality after attackers already gain access to the device.
Fortinet says the reported activity is not related to a new Fortinet vulnerability or recent advisory. Current reporting points to credential reuse, brute-force attacks, credential stuffing, and weak password hygiene on exposed devices.
Attackers can collect authentication material that passes through a compromised firewall. Reported data includes cleartext credentials, NTLMv2 hashes, Kerberos tickets, RADIUS material, session cookies, and other login-related traffic.
Any organization using internet-facing Fortinet FortiGate firewalls, SSL VPN portals, or exposed management interfaces should investigate. The risk is higher for organizations that reuse credentials, lack MFA, expose admin access to the internet, or have not rotated passwords after earlier incidents.
Organizations should terminate active admin and VPN sessions, reset Fortinet credentials, enable MFA, update FortiOS, review logs, check for unauthorized accounts or configuration changes, and restrict public access to management interfaces.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages