CRITICALFortiBleed is actively compromising Fortinet firewalls. Is your domain exposed?
Run free scan
CyberXtron
FortiBleed: Inside the Credential Heist That Exposed 73,000+ Fortinet Firewalls Worldwide
#cyberxtron#Fortinet#fortibleed#Fortinet firewall#Credential Stuffing

FortiBleed: Inside the Credential Heist That Exposed 73,000+ Fortinet Firewalls Worldwide

Executive Summary

A large-scale, ongoing credential harvesting campaign — dubbed "FortiBleed" has compromised over 73,932 unique Fortinet FortiGate firewall URLs spanning 194 countries, exposing verified login credentials for VPN gateways and administrative interfaces belonging to some of the world's largest enterprises and government organizations.

highly automated operation believed to be orchestrated by a Russian-speaking, multi-operator cybercriminal group. The attackers weaponized previously stolen credentials sourced from infostealer malware and historic Fortinet breaches, firing them at internet-exposed FortiGate devices at industrial scale  an estimated 1.16 billion credential attempts against over 320,000 FortiGate targets alone.

What makes FortiBleed especially alarming is not a novel zero-day exploit, but rather the ruthless exploitation of fundamental security failures: default administrator accounts, unrotated passwords from prior breaches, exposed management interfaces, and outdated credential hashing mechanisms. The attackers then leveraged compromised firewalls as listening posts, siphoning additional credentials from traversing traffic to fuel further compromise in a self-reinforcing cycle of access.

FortiBleed represents a strategic wake-up call: perimeter security is only as strong as the credentials protecting it.

Key Takeaways

  • Over 73,932 unique Fortinet firewall URLs across 194 countries have had credentials verified as compromised — approximately half of all internet-accessible Fortinet firewalls globally.
  • The threat actors executed an estimated 1.16 billion brute-force attempts against FortiGate targets and 2.1 billion against Microsoft SQL Server systems in a parallel campaign.
  • Attackers actively intercepted SSL VPN authentication hashes and cracked them offline using a dedicated 45-GPU cluster managed via Hashtopolis.
  • Many compromised credentials were complex passwords that had already been stolen via infostealer malware — password complexity alone provides no protection in this threat model.
  • The majority of compromised accounts were generic administrator or default built-in Fortinet accounts — a failure to rename or rotate factory credentials.
  • Older SHA-256 with Salt credential hashing (not PBKDF2) persisted on devices where admins had not re-logged in after early 2025 firmware updates, leaving them highly susceptible to offline cracking.

The attacker's exposed operational server revealed highly organized breach logs, automated tooling, and a verified credential repository. Defense industry VPN endpoints in the dataset suggest the group's ambitions extend beyond purely financial targets, overlapping with espionage objectives. Victim selection, heavily weighted toward organizations in NATO member countries, is a persistent fingerprint of Russian-nexus threat actors.

Attack Method

The FortiBleed campaign follows a methodical, multi-phase attack chain:

Phase 1 — Reconnaissance & Internet Scanning

The threat actors systematically swept the internet for publicly exposed Fortinet FortiGate management interfaces. Devices where the FortiGate management panel was left accessible on the public internet were flagged as high-value targets.

Phase 2 — Credential List Assembly

Rather than generating random passwords, the attackers assembled a curated, high-fidelity credential list sourced from:

  • Historic Fortinet configuration dumps and prior breach datasets
  • Infostealer malware logs (credentials harvested from infected enterprise endpoints)
  • Public credential leak repositories

Phase 3 — Automated Credential Stuffing at Scale

The group deployed automated credential stuffing tools against over 320,000 FortiGate targets, logging every successful authentication. The operation executed approximately 1.16 billion credential attempts against FortiGate devices.

Phase 4 — SSL VPN Hash Interception & Offline Cracking

For devices using SSL VPN, the attackers actively intercepted authentication hashes in transit and cracked them offline using a dedicated 45-GPU cluster managed via Hashtopolis — a distributed hash-cracking framework. Devices still running the older SHA-256 with Salt credential format (rather than Fortinet's newer PBKDF2 standard introduced in early 2025) were particularly vulnerable to this approach.

Phase 5 — Persistent Foothold & Traffic Monitoring

Once a device was compromised, the attackers repurposed it as a listening post — monitoring all traffic traversing the gateway to harvest additional credentials in real time. These freshly captured credentials were fed back into the credential scanning engine, creating a self-reinforcing compromise loop.

Phase 6 — Active Directory Lateral Movement

Confirmed access to FortiGate VPN gateways allowed operators to pivot directly into internal Active Directory environments, enabling deep, persistent network access that could survive routine credential rotations and security checks at the perimeter.

Parallel Campaign — MSSQL Targeting

Concurrently, the same group executed approximately 2.1 billion brute-force attempts against over 163,650 Microsoft SQL Server systems, suggesting a broader enterprise infrastructure compromise strategy.

Top Ports Targeted

Port 443 stands out as the primary vector because it serves as the standard HTTPS port and the default for Fortinet SSL VPN interfaces. The inclusion of alternative ports such as 4443, 8443, and 10443 indicates the scanner was specifically configured to target all common Fortinet deployment configurations, rather than just standard installations.

Targeted Vulnerability

FortiBleed does not exploit a single, named CVE in the traditional sense. Instead, it targets a constellation of security misconfigurations and hygiene failures:

Note: Fortinet introduced stronger PBKDF2 password hashing in early 2025, but this protection only activated when administrators actively logged in after applying the firmware update — meaning many devices remained on the vulnerable SHA-256 format regardless of patch level.

Targeted Countries

The campaign's reach spans 194 countries, with particularly heavy concentration in:

  • United States
  • India
  • NATO member states
  • European Union member states
  • Asia-Pacific enterprise hubs (Japan, South Korea, Australia)
  • Middle East and Gulf nations

The victim geographic distribution is consistent with a threat actor targeting Western and allied-nation enterprise and government infrastructure.

Targeted Industries :

FortiBleed's victim list touches virtually every sector of the global economy. The following industries have confirmed exposure:

 

 MITRE ATT&CK TTPs :

T1595.001 : Active Scanning: Scanning IP Blocks

T1596 : Search Open Technical Databases

T1650 : Acquire Access

T1588.006 : Obtain Capabilities: Vulnerabilities

T1078.001 : Valid Accounts: Default Accounts

T1078.002 : Valid Accounts: Domain Accounts

T1110.001 : Brute Force: Password Guessing

T1110.004 : Brute Force: Credential Stuffing

T1133 : External Remote Services

T1557 : Adversary-in-the-Middle

T1110.002 : Brute Force: Password Cracking

T1040 : Network Sniffing

T1021.001 : Remote Services

T1550.002 : Use Alternate Authentication Material: Pass the Hash

T1078 : Valid Accounts

T1098 : Account Manipulation

T1119 : Automated Collection

T1020 : Automated Exfiltration

T1571 : Non-Standard Port

Indicators of Compromise (IOCs) :

Due to the nature of this campaign  credential stuffing using legitimate accounts and infrastructure  traditional network-based IOCs are limited. The most actionable indicators are behavioral and credential-based.

Behavioral IOCs

  • Unexpected authentication attempts against FortiGate admin panels from foreign or anonymized IP addresses
  • Successful logins from unusual geographic locations or at unusual hours
  • Admin sessions initiated from Tor exit nodes, VPN providers, or datacenter IP ranges (non-enterprise ASNs)
  • Multiple rapid authentication successes across different accounts on the same device
  • Newly established SSL VPN sessions not correlated with known users
  • Unusual outbound traffic volume from FortiGate devices (potential listener activity)
  • Active Directory logins immediately following FortiGate VPN authentication from unusual sources

Network IOCs

  • Authentication traffic targeting FortiGate management port (TCP/443, TCP/8443) from mass-scanning source IPs
  • SSL VPN hash capture attempts on network segments hosting FortiGate devices
  • Outbound connections from FortiGate devices to unknown external IPs (potential C2 or data staging)

Mitigation Recommendations

1. Rotate All Credentials Immediately rotate all FortiGate administrative and SSL VPN user credentials. Treat every existing credential as potentially compromised. Prioritize accounts matching common generic names (admin, built-in system accounts).

2. Enable Multi-Factor Authentication Enforce MFA on all remote access and administrative accounts for FortiGate devices without exception. This single control would have blocked the vast majority of FortiBleed access attempts.

3. Restrict Management Interface Exposure Apply local-in policies to restrict FortiGate management panel access to trusted internal IP ranges only. Remove management interfaces from the public internet immediately. Disable FortiCloud SSO if not actively required.

4. Review Authentication Logs Examine all FortiGate gateway logs for: unusual login locations, unexpected admin sessions, high-frequency authentication attempts, and VPN sessions outside business hours or from anomalous IP ranges.

Short-Term Actions (Within 1 Week)

5. Upgrade FortiOS Firmware Ensure all FortiGate devices are running the latest stable FortiOS version. Critically — after applying firmware, have administrators actively log in to trigger the migration from SHA-256 to PBKDF2 password hashing.

6. Eliminate Default and Generic Accounts Audit all FortiGate devices for default, generic, or built-in administrator accounts. Rename, disable, or delete any that are not actively required. The majority of FortiBleed compromises leveraged these accounts.

7. Audit Long-Lived Credentials Implement a mandatory credential rotation policy. Any password unchanged for more than 90 days should be considered at risk. Prioritize accounts that may have existed during the 2023–2025 Fortinet breach timeline.

8. Network Segmentation Ensure that FortiGate VPN gateways cannot be used as unrestricted pivot points into internal Active Directory environments. Implement least-privilege network segmentation between the VPN demilitarized zone and internal corporate networks.

9. Deploy Threat Detection Rules Add SIEM detection rules for:

  • Repeated authentication failures on FortiGate followed by a success
  • Successful VPN logins from non-standard geographic locations
  • Admin logins from Tor, residential proxies, or datacenter IP ranges

Conclusion

FortiBleed is not a story about a sophisticated zero-day vulnerability or a nation-state's covert implant. It is a story about the consequences of years of accumulated security debt — default accounts never renamed, passwords never rotated after prior breaches, management interfaces left open to the world, and authentication hashing mechanisms left on legacy configurations.

The attackers did not need to be brilliant. They needed to be patient, systematic, and automated — and they were all three. With a curated list of stolen credentials, a GPU farm, and an automated scanning engine, a Russian-speaking criminal group quietly assembled verified access to over 73,000 of the world's most widely deployed network security devices. Many of those devices belong to some of the largest enterprises and governments on the planet.

The self-reinforcing nature of the compromise — where breached firewalls become credential harvesting sensors feeding the next wave of attacks — means that delayed response compounds the damage. Organizations that do not act immediately risk having their VPN credentials used not just for initial access, but as a foundation for deep, persistent compromise of internal infrastructure.

The core lesson of FortiBleed is that perimeter security devices are not immune to the same hygiene failures that plague endpoints. They are, in fact, higher-value targets — because the consequences of their compromise are far greater. A compromised firewall does not just expose one endpoint. It exposes the entire network it was built to protect.

Act now. Rotate credentials. Enable MFA. Restrict management access. Assume breach.

Elevate your security—get curated threat insights in your inbox.

FortiBleed: Inside the Credential Heist That Exposed 73,000+ Fortinet Firewalls Worldwide | CyberXTron Blog