Security Advisory – FortiBleed Credential Exposure Campaign Targeting Fortinet Firewalls and VPN Gateways

Date: June 2026

Severity: Critical

Affected Technologies: Fortinet FortiGate Firewalls, Fortinet VPN Gateways, FortiOS SSL-VPN

On June 19 2026, Fortinet publicly addressed a malicious campaign “FortiBleed” targeting Fortinet devices. The campaign impacted organizations across government, manufacturing, financial services, healthcare, large multinational enterprises and multiple critical infrastructure sectors. This campaign was attributed to Russian threat actors by the security researcher Volodymyr Diachenko “Bob”, who was the first to identify and publicly disclose the activity on June 13, 2026. 

He reported a breached dataset that contains valid administrative and SSL VPN credentials and compromised more than 73,900 FortiGate firewall URLs containing more than 21,300 domains across 194 countries around the world. A threat intelligence organization named “Hudson Rock” validated the dataset and a security researcher Kevin Beaumont affirmed the credentials to be legitimate.

The exposed dataset reportedly includes usernames, email addresses, plaintext passwords, VPN credentials, and administrative access credentials. Security researchers further observed that a significant portion of the credentials originated from previous compromises and credential leaks, indicating that many organizations had not rotated passwords after earlier incidents.

Organizations should assume that exposed credentials may have already been abused for unauthorized access, lateral movement, privilege escalation, data exfiltration, or the creation of persistent backdoor accounts. Any successful login using compromised administrative credentials should be treated as a potential full-device compromise until proven otherwise. 

If your organization runs the fortinet devices, these are the actions you need to take-

1. Refer Hudson Rock’s lookup tool to check if your organization is impacted. Note, however we are unable to verify the authenticity of the data available on this site.
2. Reset all the FortiGate admin and SSL VPN credentials immediately.
3. Configure all your fortinet devices with long, strong and unique alphanumeric passwords.
4. Enforce multi-factor authentication on all the administrator and VPN user accounts whether with the offline or remote access.
5. Review logs for unusual login attempts, admin sessions, new account creation or configuration changes, if any..
6. Do the proper audit on all your FortiGate devices, if necessary.
7. Upgrade the latest versions of 7.4, 7.6, or 8.0 which supports better credentials hashing technique.
8. Restrict access of management portals to the local network, deny access to the internet if possible.
9. Review and remove unused administrator accounts, inactive VPN users, and any accounts that cannot be attributed to your authorized personnel.

Organizations are encouraged to prioritize remediation activities immediately (within 24 hours), as the scale of the FortiBleed campaign and the validity of the exposed credentials significantly increase the risk of unauthorized access to enterprise and critical infrastructure networks.

References:-

1. https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices
2. https://www.linkedin.com/feed/update/urn:li:activity:7471222472193830913/
3. https://medium.com/doublepulsar/fortibleed-75k-fortinet-firewalls-have-admin-passwords-cracked-60299faa65f8 
4. https://www.hudsonrock.com/fortinet