CISA Warns: FortiBleed Campaign Hits 86,644 FortiGate Devices Globally

CISA has issued an urgent advisory urging Fortinet customers to secure their FortiGate appliances against an ongoing malicious campaign dubbed FortiBleed, which has already compromised 86,644 internet-exposed devices as of June 19, 2026. The threat actors, believed to be Russian-speaking, employed a fully automated, two-step attack chain: first, they mass-scanned the internet for Fortinet remote login endpoints and sprayed them with curated lists of leaked passwords, then passively monitored network traffic through successfully breached appliances to harvest additional valid credentials for further compromise. According to SOCRadar and Hudson Rock, generic admin accounts account for 35% of compromised credentials, built-in Fortinet system accounts for 28.3%, and organization-specific accounts for 36.7%—a distribution that suggests widespread failure to rename defaults and rotate factory credentials, with many org-specific passwords likely sourced from prior breaches. Telecom, government, and education are the most impacted sectors, with the highest concentrations of exposed devices in India, the U.S., Mexico, Colombia, and Thailand.

The U.K. National Cyber Security Centre (NCSC) has confirmed that the campaign leverages brute-force, dictionary attack, and credential stuffing techniques targeting internet-facing Fortinet firewalls and VPN gateways. Investigators suspect the actors exploited older credential hashing mechanisms and the way passwords have historically been stored within FortiGate configuration files. Fortinet only introduced PBKDF2-based password hashing for administrator credentials in FortiOS versions 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage—meaning appliances running older firmware remain particularly vulnerable. Hudson Rock noted that the threat actors have built a verified database of working credentials spanning some of the largest enterprises on the planet, with each credential confirmed before being added to their growing repository.

Security teams running FortiGate appliances should immediately verify their firmware version, audit all local and admin accounts, rotate any credentials that may have been reused or exposed in prior incidents, and review network traffic logs for signs of passive credential interception. Administrators can validate whether employee credentials have appeared in known breaches using an email breach checker, enforce strong unique passwords across all accounts with a password checker, and audit internet-exposed services with a port scanner to identify any unintended Fortinet management interfaces. Given the scale of FortiBleed and its self-propagating credential harvesting model, organizations should also enable multi-factor authentication on all FortiGate admin accounts and restrict management access to trusted IPs wherever possible.