A large-scale credential harvesting operation dubbed FortiBleed has been targeting FortiGate firewalls at industrial scale since at least February 2026, according to threat intelligence reporting. The campaign is attributed to a Russian-speaking initial access broker (IAB) motivated primarily by financial gain — selling harvested credentials to ransomware operators and other threat actors through underground forums.
Scale of the Operation
The numbers are staggering:
- 430,000+ FortiGate devices targeted globally
- 110 million+ credentials harvested
- Active since February 2026 and still ongoing at time of reporting
- Credentials sold on Russian-language criminal markets
FortiGate firewalls are widely deployed by enterprises, government agencies, and managed service providers as perimeter security appliances — making them high-value targets for initial access brokers who can resell VPN credentials directly into corporate networks.
How FortiBleed Works
The campaign exploits a combination of known vulnerabilities in FortiOS — Fortinet's operating system for FortiGate devices — and weak or default credentials on unpatched or misconfigured deployments. The attack chain follows a predictable pattern:
Phase 1: Mass Scanning
Automated scanners identify internet-facing FortiGate devices using:
- Shodan/Censys enumeration of FortiGate login pages
- Banner grabbing to identify firmware versions
- Targeted probing for known vulnerable versions
Phase 2: Exploitation or Credential Stuffing
Depending on the target's patch level, the IAB uses:
- Authentication bypass vulnerabilities (e.g., previously disclosed FortiOS SSL-VPN flaws)
- Credential stuffing against default
adminaccounts - Password spraying using leaked enterprise credential datasets
Phase 3: Credential Extraction and Packaging
Harvested credentials are:
- Organized by organization type (enterprise, government, MSP)
- Verified for validity
- Packaged as "accesses" and listed for sale
The Threat Actor Profile
Researchers assess the actor behind FortiBleed as:
- Russian-speaking, based on forum activity, operational security, and communication style
- Financially motivated — a pure IAB with no known nation-state affiliation
- Highly automated — the scale of 430,000+ targets suggests significant automation infrastructure
- Established in the cybercriminal ecosystem, with a history of selling corporate network accesses
IABs like this one serve as the supply chain for ransomware operations — groups like LockBit, BlackSuit, and Fog ransomware routinely purchase FortiGate VPN credentials to launch their intrusions.
Why FortiGate is a Prime Target
FortiGate firewalls have been repeatedly targeted in high-profile campaigns over the past several years:
| Year | Campaign | CVE(s) |
|---|---|---|
| 2022–2023 | Mass SSL-VPN exploitation | CVE-2022-40684, CVE-2023-27997 |
| 2024 | Volt Typhoon pre-positioning | Multiple |
| 2025 | Scattered Spider campaigns | CVE-2024-21762 |
| 2026 | FortiBleed | Multiple |
The combination of widespread enterprise deployment and slow patching cycles makes FortiGate a consistent target. Many organizations run FortiGate appliances for years without major firmware updates, leaving them vulnerable to a growing backlog of disclosed CVEs.
Impact Assessment
For Affected Organizations
Organizations whose FortiGate credentials appear in the FortiBleed dataset face:
- Ransomware deployment — IAB-sold access is frequently purchased by ransomware affiliates
- Data exfiltration — Attackers with VPN access can pivot to internal systems
- Business email compromise — Internal network access enables LDAP/AD reconnaissance
- Supply chain risk — MSPs with compromised FortiGate devices expose downstream clients
Credential Resale Value
FortiGate VPN accesses typically sell for $200–$5,000 per access on criminal forums, depending on the size and nature of the organization. At 110 million credentials, even a small fraction of valid, unsold accesses represents significant criminal revenue.
Detection and Response
Check for Exposure
Organizations should immediately:
- Audit FortiGate firmware versions — Run the latest FortiOS release
- Review VPN session logs for anomalous geographic or time-of-day logins
- Check HaveIBeenPwned and threat intel feeds for your domain in FortiBleed dumps
- Enable multi-factor authentication on FortiGate SSL-VPN — this renders stolen credentials useless
Immediate Hardening Steps
# Force password change for all admin accounts
# In FortiGate CLI:
config system admin
edit admin
set password <new-strong-password>
next
end
# Enable MFA for SSL-VPN users
config vpn ssl settings
set two-factor enable
endLog Review
Look for:
- Login attempts from Eastern European IP ranges (particularly
*.ru,*.byASNs) - Successful VPN authentications at unusual hours
- Multiple failed logins followed by a single success (credential stuffing pattern)
- New admin account creation following a successful login
Recommendations
| Priority | Action |
|---|---|
| Critical | Patch FortiOS to latest stable release immediately |
| Critical | Enable MFA on all VPN and admin interfaces |
| High | Rotate all FortiGate admin and VPN credentials |
| High | Review VPN access logs for the past 120 days |
| Medium | Implement geo-blocking on VPN login |
| Medium | Subscribe to threat intel feeds monitoring FortiGate dumps |
Sources
- The Hacker News — FortiBleed Campaign Analysis
- Fortinet Product Security Incident Response Team (PSIRT)