FortiBleed Campaign Used Custom FortiGate Sniffer to Steal Credentials

Security firm SOCRadar has published analysis revealing that the large-scale FortiBleed campaign targeting Fortinet FortiGate devices employed custom-built packet sniffers to systematically harvest authentication credentials from compromised firewalls. The sophisticated tooling allowed threat actors to silently intercept and exfiltrate authentication secrets at scale across thousands of affected devices.

Campaign Background

FortiBleed emerged as one of the most significant campaigns targeting Fortinet infrastructure, exploiting vulnerabilities in FortiGate devices to gain unauthorized access to enterprise firewalls. While initial reporting focused on the exploitation vector, the latest SOCRadar analysis reveals the full post-compromise toolchain used to maximize credential theft from breached devices.

Custom Sniffer Tooling

Rather than relying on generic credential dumping tools, the FortiBleed operators developed custom sniffers specifically engineered for the FortiGate environment. These tools were designed to:

• Intercept authentication traffic passing through the firewall at the packet level
• Parse FortiOS-specific session formats to extract credentials from administrative sessions, VPN authentications, and management plane communications
• Operate stealthily within the FortiGate operating environment to avoid detection by standard endpoint security controls
• Exfiltrate harvested credentials through covert channels that blend with normal firewall traffic patterns

The specialization of the sniffer code suggests the threat actors had significant prior knowledge of FortiGate internals — either through prior research, insider access to documentation, or extended access to test devices.

Scale of the Operation

The FortiBleed campaign affected a substantial number of FortiGate devices globally. By deploying credential sniffers on already-compromised devices, attackers could:

• Harvest credentials for downstream networks connected through VPN tunnels
• Collect administrative credentials for connected infrastructure managed through the FortiGate
• Build lateral movement pathways into enterprise environments far beyond the initial compromise

This approach effectively turns each compromised FortiGate into a credential harvesting relay, amplifying the impact of the initial exploitation far beyond the firewall itself.

Fortinet's Response

Fortinet has released patches addressing the underlying vulnerabilities exploited by FortiBleed and has published indicators of compromise (IOCs) to assist organizations in determining whether their devices were part of the campaign. Organizations should reference Fortinet's PSIRT advisories for the full list of affected firmware versions.

Recommended Actions

Organizations running FortiGate devices should take the following steps:

1. Apply all pending FortiOS patches — prioritize devices directly accessible from the internet
2. Rotate all credentials that may have passed through FortiGate management interfaces, VPN endpoints, or policies during the potential compromise window
3. Audit FortiGate logs for indicators of the custom sniffer tooling — look for unexpected processes or unusual filesystem activity
4. Review VPN session logs for anomalous authentication patterns
5. Check downstream systems for signs of lateral movement using credentials that may have been harvested
6. Implement network segmentation to limit the blast radius of firewall-level compromises

Implications for Network Security

FortiBleed's use of custom sniffers at the firewall layer is particularly dangerous because network perimeter devices are typically trusted anchors — other security controls rarely monitor the firewall itself. When a firewall is compromised, it can become the most privileged vantage point in a network, with visibility into all traffic passing through it.

This campaign underscores the need to treat network appliances as part of the attack surface that requires monitoring, not just monitoring infrastructure. Organizations should deploy out-of-band management for critical network appliances and implement integrity monitoring to detect unauthorized modifications to firewall operating systems.