FortiBleed: Credential Reuse, Legacy Hashes, and the Risk of Internet-Exposed FortiGate Devices
FortiBleed: Large-scale credential reuse and brute-force attacks target internet-exposed FortiGate devices
Summary
FortiBleed is a June 2026 credential exposure and abuse campaign targeting internet-reachable FortiGate management and SSL-VPN gateways through credential reuse, brute-force, and password-spraying—not a new zero-day vulnerability. Risk is highest for exposed devices lacking MFA, using reused or legacy-hashed credentials, or previously vulnerable to known Fortinet CVEs. Qualys maps eight relevant Fortinet CVEs with detection queries and provides threat-hunting guidance to identify and remediate exposed assets.
Full text
Table of ContentsSummaryWhat HappenedWho should pay attentionWhyIt Matters/ Potential ImpactRecommended ActionsCVEs and Affected ComponentsExploitation Status / Threat ActivityRemediation Long Tail: Why Historical Exposure PersistsHow Qualys Helps You Discover These ExposuresUse Qualys QueryLanguageto PrioritizeFortiBleedExposureDetection and Threat Hunting GuidanceConclusionContributorFrequently Asked Questions (FAQs) Key Takeaways FortiBleed refers to June 2026 public reporting of large-scale credential exposure and abuse targeting internet-reachable FortiGate management and SSL-VPN gateways driven by credential reuse and brute-force, not a single new zero-day. Risk is highest for internet-exposed FortiGate devices without MFA, with reused or legacy-hashed credentials, or prior exposure to known-exploited Fortinet CVEs. A patched device can remain exposed if credentials or configuration material were stolen before remediation, especially where PBKDF2 migration and legacy-hash cleanup are incomplete. Qualys provides direct QID coverage for eight relevant Fortinet CVEs, plus VMDR, ETM, and CSAM QQL queries to identify and prioritize exposed assets. Defenders should inventory internet-reachable services, patch where needed, revoke sessions, rotate exposed credentials, enforce MFA, and hunt for authentication anomalies and configuration changes. Summary FortiBleed is a June 2026 public reporting cluster around large-scale credential exposure and credential abuse targeting internet-reachable FortiGate management and SSL-VPN gateways. Public reporting and Fortinet’s analysis point to credentials reportedly stolen, exposed, or reused from earlier incidents and replayed through brute-force and password-spraying, not a newly disclosed Fortinet vulnerability. Risk centers on internet-reachable FortiGate administrative interfaces and SSL-VPN gateways; this post maps eight Fortinet CVEs with associated Qualys detections, including CVE-2026-24858, CVE-2025-59718, and CVE-2025-59719. Large-scale credential-abuse activity has been publicly reported, and Fortinet confirmed credential reuse, brute-force activity, and prior exploitation of earlier FortiCloud SSO issues. However, the public record does not confirm one campaign-wide zero-day, compromise of every reported record, or a universal exploit chain. Urgency is High for internet-exposed management or SSL-VPN deployments without MFA, with reused credentials, legacy hashes, or historical exposure; it is Medium-to-High for non-public deployments that share credentials, identity integrations, or management paths. A patched device can remain exposed when credentials or configuration material were copied before remediation, particularly where PBKDF2 migration and legacy-hash cleanup remain incomplete. This post maps each in-scope CVE to its Qualys detection (QID) and gives authentication, configuration, and identity threat-hunting guidance, plus VMDR, ETM, and CSAM QQL queries to identify and prioritize exposed assets. What Happened On June 17, 2026, public reporting described attacker infrastructure and large datasets containing Fortinet-related URLs, device records, usernames, and credentials. On June 18, 2026, CISA, the UK NCSC, and other government sources issued hardening and investigation guidance. Fortinet followed on June 19, 2026, assessing the activity as credential reuse from earlier incidents combined with brute-force or password-spraying—not a newly disclosed Fortinet vulnerability. External reporting put the scale anywhere from roughly 30,800 validated records in one subset to about 74,000 records referenced by CISA, ~75,000 devices in independent analysis, ~73,900 unique firewall URLs, and 86,644 records in other reporting. These figures reflect different objects, snapshots, validation claims, and deduplication methods, so they should not be combined or treated as one verified count of compromised devices. Who should pay attention Organizations with any FortiGate or FortiOS deployment(s) with an internet-reachable management interface or SSL-VPN, local administrator or VPN accounts without MFA, reused or legacy-hashed credentials, prior exposure to known-exploited Fortinet CVEs, or AD/LDAP/RADIUS credentials stored in the device configuration should confirm they are not exposed to this campaign. There is no single “FortiBleed version.” Rather, exposure is driven by credential history and reachability, not build number alone, so version checks must be paired with credential, session, and configuration review. Why It Matters/ Potential Impact FortiGate devices sit at the network perimeter and often hold reusable enterprise secrets, so exposure rarely stays local. Large-scale credential-abuse activity against internet-facing Fortinet services has been publicly reported and is supported by vendor, government, and telemetry sources; Fortinet has separately confirmed credential reuse, brute-force activity, and prior exploitation of earlier FortiCloud SSO issues. Where credentials or a configuration were exposed, documented consequences include: Unauthorized admin or SSL-VPN access and persistent local accounts that can survive a patch. (Confirmed as a risk class; per-device outcomes need evidence.) Configuration disclosure or alteration, exposing rules, certificates, and connection material. (Confirmed for the CVE-2026-24858 incident and 2022 config theft; claimed at FortiBleed scale but not quantified.) Exposure of embedded identity credentials — AD/LDAP, RADIUS/TACACS+, API tokens — which Fortinet advises treating as potentially compromised where access is evident, enabling lateral movement into downstream identity systems. (Confirmed as a risk condition; theft must be proven from logs.) Loss of edge-device trust, since a patch alone does not restore trust after confirmed compromise. For the business, this means potential remote-access disruption, security-control tampering, incident-response cost, and regulatory-notification exposure — highest where the appliance is publicly managed, identity-integrated, or shared across units or customers. Recommended Actions Prioritize by exposure and evidence, not build number alone: Inventory internet-reachable management and SSL-VPN services, and reduce public exposure. Patch or migrate to fixed versions — necessary, but not sufficient alone. Revoke sessions and rotate exposed or reused credentials — local admin/VPN, AD/LDAP binds, RADIUS/TACACS+ secrets, API tokens, SNMP strings, and anything reused elsewhere. Enforce MFA on administrative and SSL-VPN access. Complete PBKDF2 migration, clear legacy hashes, and validate configuration integrity. Treat QID and QQL matches below as investigation seeds — “look here first,” not confirmed compromise. Escalate to incident response on evidence of unauthorized access, configuration change, persistence, log tampering, or downstream identity use. CVEs and Affected Components The eight CVEs below — each with an associated Qualys detection (QID) — are assessed against this campaign. The first three are the priority; the rest supply historical credential- and integrity-theft context, not confirmed entry vectors. CVEQIDQVSSWhat it isExploitation & KEVRelevance to FortiBleedCVE-2026-24858 44914 9.5Admin FortiCloudSSO authentication bypass(FortiOS + FortiManager/Analyzer/Proxy/SwitchManager/Web). Cross-account admin access when SSO enabled; documented config download and local-account persistence.Vendor-confirmed exploited. KEV (added 01-27-2026).Campaign-linked — Fortinet cites it as a source of credentials reused in June 2026. Highest-priority lookback. KEV membership is not proof it drove the full dataset.CVE-2025-59718 44862 10FortiCloud SSO SAML authentication bypass (FortiOS, FortiProxy, FortiSwitchManager). Admin auth bypass when the feature is enabled.Vendor-confirmed exploited. KEV (added 12-16-2025).Campaign-linked — explicitly cited as a reused-credential source. Prioritize SSO config review + session/credential revocat
Indicators of Compromise
- cve — CVE-2026-24858
- cve — CVE-2025-59718
- cve — CVE-2025-59719