FortiBleed: What Fortinet users need to know now Read our advisory

Contact us

FortiBleed: The credential exposure every Fortinet user needs to understand

Jacob Dobson
Placeholder for Jacob DobsonJacob Dobson

Jacob Dobson , Head of Security Operations , Nomios UK&I

2 min. read
Placeholder for Forti BleedForti Bleed

Share

This is not a new attack. What has changed is how much we can now see.

In mid-June 2026, researchers uncovered an exposed server linked to the threat actors behind what is being called "FortiBleed", a long-running campaign targeting internet-facing Fortinet devices. The server contained a large dataset of verified, working credentials, along with logs and tooling that reveal the scale and maturity of the operation.

The numbers are significant:

  • Circa 73,000 devices
  • 190+ countries
  • 21,000+ organisations

None of it is being driven by a new Fortinet vulnerability. This is a credential problem, not an infrastructure one.

The attack pattern is consistent. Threat actors identify internet-facing Fortinet VPN and management interfaces, test credentials sourced from previous breaches and infostealer activity, validate working logins, and use legitimate access to move into internal environments.

In some cases, attackers appear to have gone further, accessing devices directly and extracting configuration data. That would explain the presence of plaintext credentials and deeper environmental detail within the dataset.

What "affected" actually means

It does not necessarily mean full compromise. It means valid credentials have been confirmed to work against an exposed Fortinet service. The impact from there depends on whether MFA is enforced, what level of access the account holds, and whether the activity is being monitored.

Strong passwords are not enough if those credentials have already been exposed elsewhere. This reinforces something we see repeatedly. If an attacker has valid credentials, they do not need to exploit anything. They log in.

Impact of FortiBleed

The impact of this activity is potentially significant for any organisation operating exposed Fortinet devices.

Successful authentication to these systems provides attackers with direct access to core network entry points. From there, they may be able to monitor traffic, harvest additional credentials, and move laterally into internal systems.

Key risks include:

  • Unauthorised access to firewall and VPN infrastructure
  • Use of compromised credentials to access internal services
  • Lateral movement into Active Directory and other core systems
  • Persistence within the network environment
  • Potential data access or exfiltration
  • Where administrative credentials are involved, the risk increases significantly. Attackers may be able to modify firewall configurations, disable controls, create backdoor accounts, or maintain long-term access.

What to do now

For organisations running Fortinet, the immediate priorities are:

Rotate VPN and administrative credentials

VPN and administrative passwords should be treated as compromised until proven otherwise. That is not an overreaction given the scale of what has been exposed. Credential rotation is the single fastest way to invalidate access that attackers may already have confirmed as working.

Enforce multi-factor authentication across all access points

Credentials alone should not be sufficient to access any internet-facing service. If there are accounts in your environment where MFA is not enforced, those are your highest risk points right now. MFA will not prevent credentials from being stolen, but it significantly raises the bar for those credentials being usable.

Review authentication logs for unusual or unrecognised activity

Pull your authentication logs and look for anything unusual. Unfamiliar IP addresses, access outside normal hours, successful logins followed by lateral movement. The challenge with credential-based attacks is that they can look like legitimate activity, which is exactly why visibility matters as much as prevention.

Restrict or remove internet exposure of management interfaces

Review what is actually exposed to the internet. Management interfaces for Fortinet devices should not be publicly accessible. If they are, restrict or remove that exposure. Reducing your attack surface is one of the few controls that works regardless of what credentials an attacker holds.

Additional recommendation

It’s also important to be aware of how administrator credentials are stored on Fortinet devices. Recent FortiOS updates introduced stronger password hashing mechanisms, but these changes are only applied when an administrator logs in or updates their password. In practice, this means legacy credentials may still be stored using older, weaker hashing methods unless action is taken.

 Organisations should ensure that all administrative users log in following any firmware upgrade to trigger the updated protection. Where this is not practical, passwords should be proactively reset, ideally using a super_admin account, to ensure all credentials are re-hashed using the latest, more secure standard.

Get in touch with our experts

Our team in the UK is ready to help you

Give us a call or leave a message. We are looking forward to learning about your cyber security project, network challenges and any other inquiries you would like help with.

Placeholder for Arrow rightArrow right
Send a message Call now
Placeholder for Portrait of woman curly hairPortrait of woman curly hair
Updates

More updates

Placeholder for Nomios NextNomios Next

Nomios Next 2026 London Summit

Nomios Next 2026 explored exposure management, data security, and cutting through complexity in modern cybersecurity.

2 min. read
Placeholder for I Stock 491561498I Stock 491561498

Zero-Trust Identity management

Why identity is the engine of zero trust

Identity is the engine of zero trust: learn how IAM, PAM and IGA enable continuous verification, reduce risk from privileged access, and strengthen identity hygiene across cloud and hybrid environments.

Mostafa Kamel
Placeholder for Mostafa kamelMostafa kamel

Mostafa Kamel

5 min. read
Placeholder for Firefly Gemini Flash Large stage for a rock concert with a raving crowd and lights smoke and a large LED 443531Firefly Gemini Flash Large stage for a rock concert with a raving crowd and lights smoke and a large LED 443531

SASE

Not all SASE is created equal

If you look beyond marketing terms, you will see that SASE solutions differ fundamentally in design and approach.

Richard Landman
Placeholder for Richard landman 1024x1024Richard landman 1024x1024

Richard Landman

3 min. read
 See all updates