On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) advised Fortinet clients using FortiGate devices to implement security measures. This comes in response to a large-scale attack targeting thousands of devices accessible over the internet.
Known by the codename FortiBleed, this extensive campaign is being linked to Russian-speaking hackers. As of June 19, 2026, reports indicate that 86,644 devices have been compromised.
SOCRadar’s data shows that a majority of the stolen credentials are generic admin accounts (35%) and built-in Fortinet system accounts (28.3%). Specific organizational accounts make up the remaining 36.7% of the breached information.
SOCRadar explained, “This suggests a universal failure to update default account names or factory-set passwords, effectively provided attackers with a reliable list of targets without needing to resort to brute-force methods.”
They added, “The fact that organization-specific accounts are largely affected is a major concern. It indicates that the attackers haven’t just harvested default logins but have also successfully infiltrated accounts created by the organizations, likely using credentials from previous, unresolved security breaches.”
Telecom, government, and educational sectors have been identified as the primary targets. The countries with the highest number of affected systems are India, the U.S., Mexico, Colombia, and Thailand.
Reports indicate that the attacker conducted extensive internet scans to find Fortinet remote access login points. They then utilized a unique tool to automatically try various known login details in an attempt to gain entry.
This automated attack operates through a continuous two-stage process –
- The attackers test a curated selection of previously leaked Fortinet passwords on devices located across the globe.
- Once access is gained, they discreetly capture network traffic moving through these devices to steal additional credentials. These new credentials are then used to breach even more appliances.
The compromised credentials are genuine and accurate, with each one verified for validity before being put into a database of confirmed working logins.
Hudson Rock remarked, “The scale of this security breach impacts virtually every sector of the global economy, leaving no industry unaffected. These malicious actors have built a validated collection of active credentials for many of the world’s largest corporations.”
The U.K. National Cyber Security Centre (NCSC) has identified FortiBleed as a global effort targeting Fortinet firewalls and VPN gateways directly exposed to the internet, using brute-force, dictionary attacks, and credential stuffing.
It is believed that the hackers took advantage of older methods for hashing credentials and how such data has traditionally been stored within FortiGate configurations to execute the attack on a large scale.
Arctic Wolf clarified, “Fortinet implemented PBKDF2-based password hashing for administrator accounts in FortiOS versions 7.2.11, 7.4.8, and 7.6.1, replacing the older SHA-256 method. However, when upgrading, any existing administrator passwords remained stored as SHA-256 hashes until the corresponding administrator logged in again post-upgrade.”
As a result, it is probable that numerous organizations are still relying on the older SHA-256 with Salt hashing mechanisms for their admin credentials.
Fortinet, in a statement provided to The Hacker News, said, “This data likely represents a re-sharing of information from previous incidents, combined with credential brute-forcing, and is not tied to any current incident or advisory.” They advised organizations to maintain security best practices, including regular credential rotation and enabling multi-factor authentication (MFA).
Based on the ongoing activity, CISA has provided the following guidelines for defense:
- Terminate all active SSL VPN and administrative sessions, reset all Fortinet VPN and administrative passwords, specifically for systems exposed to the internet, and enforce robust password policies.
- Implement the Password-Based Key Derivation Function 2 (PBKDF2) algorithm for storing administrator credentials, ensuring weaker legacy hash algorithms are removed.
- Examine logs from firewalls, VPNs, authentication systems, and domain controllers for any signs of anomalous behavior, such as unauthorized configuration adjustments.
- Implement phishing-resistant multi-factor authentication (MFA) on all external access gateways and admin interfaces.
- Minimize the attack surface and properly lock down management controls.
The FortiBleed security incident was initially revealed last week after security researcher Volodymyr “Bob” Diachenko discovered a server containing a database of valid login credentials for thousands of firewalls and VPN gateways spanning 194 countries. SOCRadar also reported that the server hosted the attacker’s tools and automation scripts.
These findings highlight how the reuse of credentials and inadequate password security can be taken advantage of by hackers. They also underscore that perimeter security devices remain a prime target for gaining unauthorized access to corporate networks.
