A large-scale credential leak campaign called FortiBleed has exposed verified administrator credentials for more than 73,000 internet-facing Fortinet FortiGate firewalls. As of mid-June 2026, the stolen dataset is actively circulating in criminal underground communities, including Telegram channels, paste sites, and cybercrime forums. Researchers estimate that roughly 50% of all internet-reachable FortiGate devices worldwide may be affected, spanning 194 countries.
According to Bitsight, the leaked data includes VPN credentials and firewall configuration details from Fortinet and FortiGate deployments around the world. That combination is particularly dangerous: it does not just expose a password, it hands attackers a map of an organization’s internal network architecture alongside the keys to get in.
What makes this incident unusual is that it does not appear tied to a newly disclosed vulnerability. Researchers believe the dataset likely originated from historical compromises involving previously exploited flaws in FortiOS. That means devices that appear fully patched and operational right now may already have credentials in circulation, with no alert visible to defenders unless they are actively hunting for signs of intrusion.
The technical root cause comes down to how FortiOS handles password storage during device upgrades. When a FortiGate device is upgraded from an older version of FortiOS, administrator passwords remain stored as weak SHA-256 hashes until an administrator manually logs in after the upgrade. Attackers behind FortiBleed reportedly built a 45-GPU offline cracking setup to systematically break these hashes at scale, producing validated working credentials for tens of thousands of devices in the process.
Bitsight’s threat intelligence team has confirmed active exploitation tied to the campaign, including at least one threat actor on a Russian cybercrime forum selling access derived from the stolen data. Researchers also identified post-exploitation tools connected to related CVE activity, specifically the tunneling tools Chisel and Neo-reGeorg. Both have appeared before in state-sponsored campaigns targeting Fortinet perimeter devices, including the Volt Typhoon campaign attributed to Chinese state actors. Their presence here suggests the credential pool is being used for both opportunistic criminal access and more targeted intrusion operations.
Here is a quick breakdown of the key technical details:
- Incident type: Credential exposure and data leak
- Affected component: Fortinet FortiGate firewalls running FortiOS prior to versions 7.2.11, 7.4.8, and 7.6.1
- Exposed data: VPN credentials and firewall configuration data
- Post-exploitation tools observed: Chisel, Neo-reGeorg, EternalBlue
- Underground activity: Active credential trading across Telegram, paste sites, and criminal forums
FortiGate firewalls sit at the perimeter of enterprise networks, which is exactly why they are such attractive targets. Compromising administrator credentials gives an attacker control over an organization’s entire network boundary. That means the ability to modify firewall rules, intercept VPN traffic, create backdoor accounts, disable logging, and set the stage for ransomware deployment or data theft.
The scale here is what sets FortiBleed apart from a typical credential leak. Roughly half of all internet-facing FortiGate devices could be affected, which means organizations across every sector and geography are exposed right now, whether or not they were deliberately targeted. Credentials are leaking silently from devices that look fine from the outside. That is a serious problem for security teams who rely on perimeter visibility to catch threats early.
Organizations running affected FortiGate devices face a wide range of downstream risks:
- Unauthorized network access via compromised administrator or SSL VPN credentials
- Firewall rule changes that create persistent attacker access and allow traffic interception
- Lateral movement into internal systems using tunneling tools like Chisel and Neo-reGeorg
- Ransomware deployment, since FortiGate credential theft has been a documented early step in prior campaigns
- Data exfiltration through attacker-controlled VPN tunnels or forwarding rules
- Regulatory and compliance exposure from unauthorized access to sensitive systems
- Third-party and supply chain risk, as a compromised perimeter device can expose downstream vendors and partners
FortiBleed fits a well-established pattern of attackers going after network perimeter devices. The same basic playbook appeared with CVE-2023-27997 (known as XORtigate), the Volt Typhoon campaign, and the 2020 mass exploitation of CVE-2018-13379, which leaked VPN credentials for around 50,000 Fortinet devices. Each of those incidents confirmed that FortiGate appliances are high-value targets precisely because they sit between the public internet and internal networks.
The operational sophistication behind FortiBleed points to a multi-tier threat situation. The credential datasets are reportedly organized by sector and revenue, geographic coverage is broad, and the GPU cracking infrastructure required real investment. Low-level criminal actors are monetizing access where they can, while more sophisticated groups appear to be drawing from the same pool for targeted espionage and intrusion work. Bitsight’s CTI team says it is actively monitoring underground activity and that the campaign is ongoing.
If your organization runs FortiGate devices, the following steps should be treated as urgent:
- Rotate all credentials: Reset administrator accounts, local user accounts, and SSL VPN credentials across all FortiGate devices now, regardless of whether compromise has been confirmed.
- Patch to a fixed FortiOS version: Upgrade to FortiOS 7.2.11, 7.4.8, 7.6.1, or later. Note that patching alone does not eliminate legacy SHA-256 password hashes. Administrators must log in after upgrading to trigger migration to PBKDF2-based hashing.
- Force hash re-authentication: On FortiOS 7.6.x, enable the login-lockout-upon-weaker-encryption setting. On FortiOS 7.2.x and 7.4.x, the equivalent is login-lockout-upon-downgrade. Both eliminate SHA-256 backward compatibility.
- Restrict management interface access: Block external access to FortiGate management interfaces immediately. Limit access to trusted internal IPs, VPN-only administration paths, or an out-of-band management network.
- Enforce multi-factor authentication: Enable MFA for all administrative and remote access accounts. It is one of the most effective controls against credential-based attacks.
- Hunt for indicators of compromise: Review logs for unexpected administrator logins, newly created accounts, altered firewall rules, disabled logging, SSL VPN sessions outside normal hours, access from unusual geographies, and any activity linked to Chisel or Neo-reGeorg tunneling.
Security teams should also check for exposure to CVE-2022-40684, CVE-2023-27997, and CVE-2024-55591, all of which are connected to related Fortinet exploitation activity. Third-party risk teams should assess vendor and supply chain exposure to affected Fortinet technologies, since a compromised FortiGate at a partner organization can create risks that flow back to your own network.
FortiBleed is a reminder of how quickly a perimeter security product, if misconfigured or left unpatched, can flip from a defensive asset into an attacker’s entry point. With validated credentials still circulating and exploitation activity ongoing, this is not a situation where organizations can afford to wait for more information before acting.