In mid-June 2026, researchers disclosed an active, large-scale credential compromise campaign against internet-facing Fortinet FortiGate firewalls, dubbed "FortiBleed". It is not a single patchable flaw but a sustained campaign exploiting weak credential storage on FortiGate devices alongside credential guessing against exposed management and SSL VPN interfaces.
The actor harvests configuration files and cracks the stored hashes offline. Fortinet introduced stronger PBKDF2 hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1, but on upgraded devices administrator passwords remain stored as weaker salted SHA-256 until each admin next logs in, and legacy hashes can persist in a hidden 'old-password' field. Researchers report confirmed working administrator credentials for an estimated 30,000 to 75,000 devices across 194 countries. The same actor has also targeted FortiWeb, MSSQL, and other services, and the campaign has been active since at least March 2026 despite only being disclosed this week. Activity is attributed to a Russian-speaking cybercriminal group. Figures are provisional and named-victim claims unverified.
We assess it is highly likely that validated credentials will be used, or sold for use, to obtain initial access. Given FortiGate's perimeter position and the history of Fortinet compromises preceding ransomware and data theft, the potential impact is significant.
Remediation
We urgently advise all organisations operating internet-facing FortiGate firewalls or SSL VPN gateways to:
- Treat all administrator and VPN credentials on exposed devices as compromised and reset them as a priority
- Enforce multi-factor authentication on all administrative and remote access accounts
- Restrict management interfaces to trusted internal networks; they should not be internet-facing
- Enforce PBKDF2 by requiring every administrator to log in once after upgrade, or resetting remaining accounts via a super_admin
- In FortiOS v7.2.x and v7.4.x, enable 'login-lockout-upon-weaker-encryption' to remove residual SHA-256 hashes
Affected products
FortiGate / FortiOS devices upgraded from a release prior to 7.2.11, 7.4.8, or 7.6.1 where administrators have not re-authenticated, devices retaining hashes in the 'old-password' field, and any internet-facing FortiGate management or SSL VPN interface. Treat exposure as a function of internet accessibility and upgrade history, not a single version number.
Indicators of compromise
Technical indicators are limited; the primary signal is exposure. Review for:
- An exposed management or SSL VPN interface visible on internet device search engines (e.g. Shodan)
- SHA-256 hashes in the 'old-password' field of a super_admin configuration backup
- Administrator or VPN logins from unexpected addresses, geolocations, or hours, or new admin/VPN accounts and policy changes
- Authentication activity from source IP 85.11.187.8 / AS211486 (independent honeypot finding, not confirmed campaign-wide; use as a log-review starting point)
If malicious activity is identified
- Trigger your incident response plan and engage an expert incident response firm
- Preserve evidence, including configuration backups and logs
- Contain the actor's access and rotate all credentials that may have transited the device
- Threat hunt and eradicate to remove the actor from the network
- Conduct forensics across impacted and downstream systems for potential data exfiltration.
Please contact S-RM if you are concerned about your organisation’s exposure.