CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices

Summary

CISA has issued a warning to Fortinet customers regarding the FortiBleed campaign, which has compromised over 86,000 FortiGate devices. The campaign, attributed to Russian-speaking threat actors, leverages a combination of default credentials, previously breached accounts, and brute-force attacks to gain access. Impacted sectors include telecom, government, and education, with a significant number of exposures in India, the U.S., Mexico, Colombia, and Thailand.

Full text

CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices Ravie LakshmananJun 19, 2026Threat Intelligence / Firewall Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed. The number of compromised devices stands at 86,644 as of June 19, 2026. According to data from SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. Organization-specific accounts account for 36.7% of the remaining breached credentials. "This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed," SOCRadar said. "Org-specific accounts topping the list is significant. It means the attacker is not just harvesting default credentials but has also successfully compromised accounts created by the organizations themselves, possibly sourced from prior breaches where passwords were never changed." Telecom, government, and education have emerged as the top three impacted sectors, with the most exposures located in India, the U.S., Mexico, Colombia, and Thailand. The threat actor is said to have mass-scanned the internet for Fortinet remote login endpoints, and then employed a bespoke tool to spray those identified endpoints with known login and password combinations in an attempt to break into them. The fully-automated attack is built around a self-sustaining, two-step approach - The threat actor attempts a curated list of leaked Fortinet passwords against devices across the internet. Once access is obtained, they passively monitor network traffic going through the devices to collect additional credentials, which are then used to compromise more appliances. The credentials are legitimate and valid, with the attackers verifying each of them before they are added to a database of confirmed, working logins. "The scale of this breach touches nearly every sector of the global economy, sparing no industry," Hudson Rock said. "The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet." The U.K. National Cyber Security Centre (NCSC) has described FortiBleed as a global campaign targeting internet-facing Fortinet firewalls and VPN gateways using methods like brute-force, dictionary attack, and credential stuffing. It's suspected that the threat actors likely exploited older credential hashing mechanisms and the way credentials have historically been stored within FortiGate configuration files to pull off the large-scale attack. "Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism," Arctic Wolf said. "However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade." "As a result, many organizations likely continue to store administrator credentials using older SHA-256 with Salt hashing mechanisms." In a statement shared with The Hacker News, a Fortinet spokesperson said "the data involved is likely a resharing of data from previous incidents, as well as brute-forcing of credentials, and not related to any current incident or advisory," urging organizations to follow best practices, including regularly rotating security credentials and enabling multi-factor authentication (MFA). CISA has outlined the following recommendations to defend against the activity - Terminate all active SSL VPN and administrative sessions, reset all Fortinet VPN and administrative passwords, especially on internet-facing systems, and enforce strong password policies. Ensure use of the Password-Based Key Derivation Function 2 (PBKDF2) algorithm to store administrator credentials and remove weaker legacy hashes. Review firewall, VPN, authentication, and domain controller logs for signs of suspicious actions, including unauthorized configuration changes. Enable phishing-resistant MFA on all external gateways and administrative interfaces. Reduce the attack surface and lock down management. The FortiBleed incident first came to light last week after security researcher Volodymyr "Bob" Diachenko discovered a server containing the database of working login credentials for thousands of firewalls and VPN gateways across 194 countries. Per SOCRadar, the server also staged the attacker's tools and automation scripts. The findings once again demonstrate how credential reuse and poor password hygiene can be weaponized by malicious actors, not to mention that perimeter security appliances remain a lucrative target for gaining initial access to enterprise environments. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  CISA, Credential stuffing, Firewall Security, Fortigate, Fortinet, password security, Threat Intelligence, VPN Security ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• malware — FortiBleed

Entities