Credential-Harvesting Campaign Compromises 30,000 Fortinet Firewalls
A large-scale credential-harvesting campaign has compromised more than 30,000 Fortinet FortiGate firewalls and VPN gateways across 194 countries, according to SOCRadar, which said the attackers amassed a database of 30,791 verified working credentials. Researchers said the operation targeted internet-facing Fortinet management and VPN interfaces using credential stuffing, password spraying, brute-force attempts, and reused passwords from prior leaks, and found no evidence of a Fortinet zero-day or a breach of Fortinet itself.
The attackers allegedly used compromised devices as listening posts to capture additional credentials and feed them into an automated attack chain, broadening access across sectors including telecommunications, government, healthcare, finance, education, energy, and other critical infrastructure. Telecom was reported as the most affected sector, while government entities accounted for 591 entries across 111 domains; India and the United States represented nearly one-third of identified compromises. SOCRadar said the campaign remained active and assessed it as critical, with tooling and victim selection described as consistent with Russian-speaking threat actors and possible motives spanning both financial gain and cyberespionage.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
16 events from the most recent confirmed update back to the earliest known activity.
Fortinet confirms credential campaign and begins notifying affected customers
On 2026-06-19, Fortinet said the reported FortiBleed activity was a credential-harvesting campaign using reused credentials and brute-force attacks, not a new Fortinet vulnerability or recent Fortinet incident. The company said it had identified potentially compromised systems, launched an investigation with relevant government agencies, and was proactively notifying affected customers while urging credential resets, MFA, and hardening.
CloudSEK revises FortiBleed victim counts after attacker server analysis
On 2026-06-19, CloudSEK published a technical analysis of an exposed FortiBleed attacker back-end and said the campaign was a credential-compromise operation rather than a Fortinet zero-day. The firm said widely cited victim totals were overstated, assessing that 918 organizations showed captured internal Kerberos traffic and only 148 represented confirmed compromises with cracked and verified Active Directory credentials.
Recorded Future links FortiBleed activity to IP and attacker tooling
Recorded Future’s Insikt Group linked FortiBleed-related activity to IP address 85[.]11[.]187[.]8 and reported infrastructure and tooling consistent with credential harvesting, hash cracking, password spraying, Active Directory enumeration, SMB/DFS collection, staged exfiltration, and log clearing. The report also reiterated attribution to a Russian-speaking threat group and urged immediate credential rotation, MFA enforcement, hardening, and investigation for downstream compromise.
Researchers attribute FortiBleed campaign to Russian-speaking crime group
On 2026-06-18, GovInfoSecurity reported researcher Volodymyr Diachenko's attribution of the FortiBleed-related operation to a Russian-speaking multi-operator cybercrime group. The report said the group intercepts SSL VPN authentication, cracks harvested hashes with a Hashtopolis-managed GPU cluster, and pivots from compromised Fortinet devices into internal Active Directory environments.
CISA urges hardening Fortinet devices after FortiBleed reports
On 2026-06-18, CISA warned that malicious actors were targeting internet-accessible Fortinet devices in government and private sector organizations using compromised credentials associated with FortiBleed. CISA said the exposure involved roughly 74,000 Fortinet devices and urged organizations to terminate active sessions, reset VPN and admin passwords, enforce phishing-resistant MFA, verify PBKDF2 credential storage, review logs, and restrict public internet management access.
Canadian Centre for Cyber Security issues FortiBleed alert
On 2026-06-18, the Canadian Centre for Cyber Security issued Alert AL26-014 warning that exposed Fortinet credentials in the FortiBleed campaign could enable remote access to affected devices and connected networks and allow attackers to alter security settings. The agency advised auditing for unauthorized accounts such as "forticloud-sync" and "forticloud-tech," restricting management access, terminating active sessions, resetting passwords, enforcing MFA, updating firmware, and verifying patches for CVE-2024-55591, CVE-2025-59718, and CVE-2025-59719.
UK NCSC issues alert on Fortinet targeting and response guidance
On 2026-06-18, the UK National Cyber Security Centre warned that Fortinet firewalls and VPN gateways were being globally targeted and said there were some indications of potential impact in the UK. The agency advised organizations to investigate for compromise, isolate affected devices, collect forensic artefacts before factory reset, enforce MFA, update or remove unsupported systems, and review for persistence and lateral movement.
SOCRadar raises FortiBleed compromise count to more than 86,000 devices
A June 18 report said the FortiBleed campaign had successfully compromised more than 86,000 internet-exposed Fortinet firewall and VPN gateway devices across 194 countries. The report said the operation continued using password-based access and adversary-in-the-middle interception rather than a Fortinet breach or zero-day.
TechCrunch names major companies allegedly affected by FortiBleed
On 2026-06-17, TechCrunch reported that organizations including Accenture, Comcast, Foxconn, Lenovo, Oracle, Samsung, Siemens, and PwC were among the alleged victims of the FortiBleed campaign targeting exposed Fortinet firewalls and VPNs. The report attributed the victim list to Hudson Rock and SOCRadar's analysis of the broader credential-harvesting operation.
Researchers confirm downstream intrusions tied to FortiBleed campaign
Researchers reported that the FortiBleed campaign led to confirmed follow-on compromises at organizations in multiple countries, including persistence, lateral movement, and document exfiltration. The reference specifically cites a Turkish NATO defense contractor among the affected organizations.
Kevin Beaumont reports 75,000 Fortinet firewalls with exposed admin credentials
On 2026-06-17, Kevin Beaumont reported that a recent dataset containing plaintext or crackable administrator credentials for about 75,000 Fortinet firewall devices appeared legitimate, with many affected devices still online and exposing management interfaces to the internet. He said the data likely came from exported device configurations, warned that attackers could use the credentials to access firewalls and create backdoors, and recommended credential rotation, FortiOS upgrades, MFA, and assuming compromise.
Researchers disclose exposed 'FortiBleed' dataset of Fortinet credentials
On 2026-06-17, BleepingComputer reported a newly disclosed leak dubbed 'FortiBleed' exposing credentials tied to 73,932 Fortinet firewall URLs across 194 countries. Researcher Bob Diachenko discovered the exposed server, and analysis by Hudson Rock indicated the data included plaintext passwords and operational notes consistent with a large-scale credential-harvesting campaign.
Threat actor compromises 30,791 Fortinet devices in global credential campaign
SOCRadar reported an active campaign in which attackers systematically compromised Fortinet FortiGate firewalls and VPN gateways across 194 countries, building a database of 30,791 verified working credentials. The operation reportedly used automated scanning, credential stuffing, brute-force attempts with previously leaked Fortinet passwords, and traffic monitoring on compromised devices to harvest additional credentials.
Initial access broker claims FortiBleed activity on Exploit.in
Unit 42 reported that on 2026-06-16 an initial access broker on the Russian-language forum Exploit[.]in claimed responsibility for the FortiBleed campaign, referenced a CVE, and offered harvested credentials for sale. Unit 42 said it had not validated the actor's claim.
SOCRadar publishes findings on Fortinet credential-harvesting campaign
On 2026-06-16, SOCRadar published its report describing the ongoing Fortinet-focused campaign, stating there was no evidence of a Fortinet zero-day or compromise of Fortinet itself. The report said telecom was the most affected sector, identified significant impact on government entities, and recommended password resets, MFA, log review, restricted management exposure, firmware updates, and incident response engagement.
SpyCloud dates FortiBleed campaign start and multi-platform targeting
SpyCloud assessed that the FortiBleed operation began on 2026-05-19 as a live initial access broker campaign using mass scanning and credential attacks. The researchers said the actors targeted not only Fortinet FortiGate devices but also Synology DSM, Sophos firewalls, and MSSQL servers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
49 references tracked. Mallory keeps watching after this page renders.
FortiBleed Exposes Global Credential-Spraying Operation
securityaffairs.com
Open sourceCISA Warns of Active Exploitation Following FortiBleed Leak - Security Affairs
securityaffairs.com
Open sourceThreat Brief: Mitigating Large-Scale Credential Attacks
unit42.paloaltonetworks.com
Open sourceInside the FortiBleed Dataset - Flare
flare.io
Open sourceFortinet FortiGate Bruteforce Campaign Exposed | Volodymyr "Bob" Diachenko posted on the topic | LinkedIn
linkedin.com
Open sourceFortinet FortiGate Bruteforce Campaign Exposed | Volodymyr "Bob" Diachenko posted on the topic | LinkedIn
linkedin.com
Open sourceExecutive summary based on my investigation report: - This is a Russian-speaking multi-operator group conducting large-scale credential harvesting against Fortinet FortiGate SSL VPN appliances… | Volodymyr "Bob" Diachenko
linkedin.com
Open sourceExecutive summary based on my investigation report: - This is a Russian-speaking multi-operator group conducting large-scale credential harvesting against Fortinet FortiGate SSL VPN appliances… | Volodymyr "Bob" Diachenko
linkedin.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
FortiGate Edge Intrusions Used to Steal Service Account Credentials and Pivot Into Active Directory
SentinelOne DFIR reported multiple intrusions in which threat actors compromised **FortiGate Next-Generation Firewall (NGFW)** appliances to gain an initial foothold, then extracted FortiGate configuration files containing **service account credentials** and **network topology** data. The activity targeted organizations including **healthcare, government, and managed service providers**, and in several cases was detected during the lateral-movement stage before full domain compromise. SentinelOne noted that many affected environments lacked sufficient FortiGate logging, limiting defenders’ ability to determine the exact initial access vector and timeline; observed dwell time from perimeter compromise to follow-on internal activity ranged from **months to near-immediate** escalation. The intrusions were assessed as enabled by exploitation of **recently disclosed Fortinet vulnerabilities** and/or weak or misconfigured access controls on edge devices. Reported candidate vulnerabilities included `CVE-2025-59718`, `CVE-2025-59719`, and `CVE-2026-24858`, which could allow unauthorized access and facilitate configuration theft. In one investigated case, attackers created a new local administrator account named **"support"** on a compromised FortiGate and added permissive firewall policies to allow broad, unrestricted traversal across zones—behavior consistent with establishing durable access and potentially supporting **initial access broker (IAB)**-style operations that enable deeper **Active Directory** compromise via stolen directory-connected service accounts.
Mar 21, 2026
Coordinated Credential-Stuffing Attacks on Cisco and Palo Alto VPN Gateways
Threat actors launched a large-scale, automated credential-stuffing campaign targeting enterprise VPN authentication infrastructure, specifically focusing on Palo Alto Networks GlobalProtect and Cisco SSL VPN gateways. The campaign, observed in mid-December 2025, involved millions of scripted login attempts over a short period, with attackers pivoting rapidly between the two vendors. GreyNoise intelligence identified that the attacks originated almost exclusively from centralized infrastructure hosted by Germany’s 3xK GmbH, utilizing uniform request patterns, common username-password combinations, and atypical browser user agents to probe for weak or exposed VPN portals. Over 1.7 million login attempts were recorded against GlobalProtect portals in just 16 hours, with more than 10,000 unique IPs participating, primarily geolocated to the United States, Pakistan, and Mexico. Following the surge against Palo Alto, the attackers shifted focus to Cisco SSL VPNs, where a significant spike in unique attacking IPs was observed, rising from under 200 to 1,273 in a single day. The campaign did not exploit any zero-day vulnerabilities but relied on credential stuffing and password spraying techniques, indicating the use of potentially massive stolen credential lists. The uniformity in attack infrastructure, timing, and technical indicators across both VPN platforms underscores the persistent risk to remote access systems and highlights the need for robust authentication and monitoring of enterprise VPN endpoints.
Mar 21, 2026
Coordinated Attacks and Zero-Day Exploitation Targeting Cisco, Palo Alto, and Fortinet Network Devices
A coordinated cyberattack campaign has been identified targeting major networking devices from Cisco, Palo Alto Networks, and Fortinet, with evidence suggesting a single threat actor is orchestrating the activity. Security researchers at GreyNoise observed simultaneous scanning of Cisco ASA devices, increased login attempts against Palo Alto Networks portals, and brute-force attacks on Fortinet SSL VPNs, all originating from shared subnets and exhibiting recurring TCP fingerprints. This temporal and infrastructural correlation points to a sophisticated, cross-vendor campaign rather than opportunistic attacks. Experts note that adversaries are leveraging generative AI to automate these attacks, adopting tactics typically associated with nation-state actors. The campaign is notable for its focus on high-value targets such as networking devices and VPNs, which serve as critical gateways into enterprise networks and often possess privileged access that can bypass internal security controls. Industries such as manufacturing, industrials, and utilities are particularly at risk due to the potential for operational disruption and rapid financial gain for attackers. Concurrently, Cisco disclosed two zero-day vulnerabilities in its ASA and Secure Firewall Threat Defense software, identified as CVE-2025-20333 and CVE-2025-20362, which are being actively exploited in the wild. CVE-2025-20333 allows authenticated remote code execution due to improper input validation in the VPN web server, potentially granting attackers root-level access. CVE-2025-20362 is an authentication bypass flaw that enables remote attackers to access restricted endpoints without credentials. The combination of these vulnerabilities poses a severe risk, as attackers can gain full control of affected devices. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed ongoing exploitation and is collaborating with government agencies to coordinate a response. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive, urging all federal agencies to immediately mitigate exposure and assess for compromise. Over 90,000 Cisco FTD devices are reportedly exposed, highlighting the scale of the threat. Attackers are conducting large-scale scanning campaigns to identify vulnerable ASA login portals and entry points. Security experts emphasize the urgent need for organizations to inventory their Cisco ASA and FTD devices, apply available patches, and implement recommended mitigations. The campaign’s use of shared infrastructure and advanced automation underscores a shift in attacker methodology toward more efficient and targeted operations. The strategic targeting of network infrastructure devices reflects their critical role in enterprise security and the high impact of successful compromise. Organizations are advised to monitor for signs of compromise, follow vendor and government guidance, and prioritize remediation of affected systems. The ongoing nature of the attacks and the active exploitation of zero-day vulnerabilities make this a critical threat to enterprise and government networks worldwide.
Mar 21, 2026