AbejaIT AbejaIT

FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

04.07.2026

The FortiBleed campaign, attributed to a Russian-speaking initial access broker, led to leakage of over 110 million credentials from more than 430,000 FortiGate devices worldwide. Active since February 2026, the operation combines exposure scanning, brute-force attacks, and dedicated credential harvesting tools. Organizations using Fortinet firewalls should immediately verify access configurations and implement multi-factor authentication.

The FortiBleed campaign, attributed to a Russian-speaking initial access broker (IAB), collected over 110 million credentials from more than 430,000 FortiGate devices worldwide. Active since February 2026, the operation combines mass internet scanning for exposed admin interfaces, brute-force attacks, and dedicated credential harvesting tools. For B2B companies using FortiGate as network perimeter, immediate configuration verification and admin password rotation are required.

Why Firewalls Are IAB Targets

FortiGate often serves as the sole entry point to corporate networks from the internet. Admin account compromise gives attackers: rule modification (VPN backdoor opening), traffic interception, malicious policy installation, and pivot to all segments behind the firewall. IABs sell such access to ransomware groups—hence mass scanning and brute-force at 430,000 device scale.

Many devices were exposed with default or weak admin passwords, HTTPS admin access from internet enabled, and no MFA. FortiBleed is not a zero-day—it is the consequence of years of edge device hardening neglect.

FortiGate Hardening Checklist

  • MFA – enable multi-factor authentication on all admin accounts.
  • No internet admin – access only via VPN or DMZ jump host.
  • Strong passwords – rotation and uniqueness; never factory defaults.
  • Current FortiOS – patch all known CVEs (including historical).
  • Logging – forward logs to SIEM; alerts on failed login bursts.

Response After Potential Compromise

If your FortiGate may have been targeted: immediately change admin and VPN account passwords, review firewall rules for unauthorized entries (allow any, new VIPs, SSL-VPN users), compare configuration with known-good backup, and rotate IPsec/SSL VPN keys. Threat hunt internal network—attackers with FortiGate access may have already pivoted further.

Check whether FortiGate admin credentials appeared in leak monitoring (Have I Been Pwned, vendor credential monitoring). Assume breach for devices with internet-exposed admin in recent months.

Zero Trust Architecture for Edge Devices

Firewall administration plane should be completely separated from data plane. Use out-of-band management network, disable admin on WAN interface, enable trusted hosts. For multi-branch organizations—central FortiManager with RBAC and audit logging.

Through our IT infrastructure services, we conduct FortiGate configuration audits, MFA deployment, and segmentation. SIEM integration enables early brute-force detection before IABs sell access.

Shared Fortinet Policies in Multi-Branch Organizations

Companies with multiple FortiGates should centralize policies via FortiManager—single MFA policy and admin access restriction updates propagate across the fleet. FortiAnalyzer aggregates logs from all devices, enabling FortiBleed brute-force campaign detection targeting multiple branches simultaneously. Without centralization, each branch may have different admin exposure—as in the 430,000 device statistic.

Admin password rotation should synchronize with user VPN account rotation—compromised FortiGate often serves remote access user credential harvesting.

Threat Intelligence and FortiBleed

Organizations should subscribe to FortiGuard threat intelligence and FortiBleed-related IoC feeds—attacker script hashes, C2 IPs, brute-force patterns. Firewall and proxy blocking before FortiGate admin interface access reduces attempt counts. IoC sharing with industry ISAC and national CSIRT accelerates collaborative defense.

After admin password rotation, conduct external FortiGate interface penetration tests—external audits often reveal exposure internal scans miss due to split tunnel or VPN.

FortiGate in HA (High Availability) mode requires patching both nodes in Fortinet-documented sequence—incorrect procedures can cause split-brain or WAN connectivity loss during FortiBleed remediation. Test HA patch procedures in lab before production.

Require strong passwords and MFA for VPN users—FortiBleed harvested remote access user credentials; even after admin hardening, compromised user accounts remain a vector.

Add FortiGate to internal bug bounty programs—reward employees for reporting admin UI exposure and weak configurations before FortiBleed campaign attackers find them.

Enable SIEM alerts on >10 failed logins/min on FortiGate SSL-VPN interface—early FortiBleed brute-force campaign signal.

Apply geo-blocking on FortiGate admin HTTPS—access only from organization headquarters country limits FortiBleed mass scanning from foreign botnets.

Test FortiGate configuration restore from offline backup—after FortiBleed incidents, rapid known-good config restore shortens return-to-operations time.

Conclusion

FortiBleed is mass FortiGate credential harvesting—mainly through weak configurations, not zero-days. MFA, no internet admin, and FortiOS patching are must-haves. We invite audit inquiries through our IT services for businesses.

Source: The Hacker News – FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation