SOCRadar has disclosed a large-scale credential-harvesting operation dubbed FortiBleed, attributed with moderate confidence to a Russian-speaking initial access broker (IAB) who has compromised over 86,000 verified credentials from internet-facing Fortinet FortiGate firewalls and SSL VPN gateways across 194 countries. The campaign has been running since at least February 2026 and shows no signs of stopping.
What Is FortiBleed?
FortiBleed is not a zero-day or novel software exploit. As Waseem Ahmed at Secure.com told Dark Reading: "There's no zero-day, no exploit, no actual 'bleed.' Despite the name, this isn't a vulnerability but a pile of credentials leaked in earlier Fortinet breaches, fired back at organizations that never bothered to change them."
The name reflects the systematic "bleeding" of credentials from compromised perimeter devices at scale — credential negligence weaponized into an industrial operation.
The Threat Actor
SOCRadar discovered the campaign after researcher Volodymyr "Bob" Diachenko found a misconfigured, publicly exposed attacker server with directory indexing enabled, giving full visibility into the threat actor's toolchain, operator bash histories, victim databases, cron schedules, and automation scripts.
Attribution indicators include:
- Tool comments and operator notes written in Cyrillic
- Heavy victim concentration in NATO member countries
- Defense contractor targeting consistent with Russian geopolitical interests
- Post-exploitation tooling (Chisel, Neo-reGeorg) previously linked to Volt Typhoon state-sponsored campaigns
SOCRadar assessed the actor "may collaborate with Russian state-sponsored groups" or sell access to ransomware operations. Definitive attribution has not been confirmed.
Five-Stage Attack Methodology
Stage 1 — Reconnaissance
Automated scanners (Masscan, Shodan) swept 59.3 million internet hosts targeting Fortinet management interfaces on ports 443, 4443, 8443, and 10443. Approximately 437,000 FortiGate devices were fingerprinted.
Stage 2 — Initial Access
- SSH brute-force using 16 wordlists curated for FortiGate admin naming conventions (
admin,fgts*,fort*patterns) - Credential stuffing with credentials leaked from prior Fortinet incidents
- 1.16 billion credential attempts against 320,000+ FortiGate targets
- 2.1 billion brute-force attempts against 160,000+ MSSQL servers
Stage 3 — FortigateSniffer Deployment
Once admin access is gained, attackers deploy FortigateSniffer — a custom Golang-based tool that abuses FortiOS's legitimate built-in diagnose sniffer packet diagnostic command to silently capture authentication traffic traversing the compromised device. The sniffer captures credentials from 24 protocols, including:
- RADIUS, NTLM, Kerberos, LDAP
- SMB, RDP, WinRM
- Microsoft SQL Server, MySQL, PostgreSQL
- SMTP, IMAP, POP3, FTP, Telnet
Stage 4 — Processing Pipeline
- SNIFTRAN reconstructs captured traffic into PCAP files
- Python PCAP Deep Analysis Toolkit extracts cleartext credentials, password hashes, Kerberos tickets, and NTLM authentication material
- Hashcat generates cracking files; offline cracking runs via a 45-GPU (36 enterprise-class) infrastructure
A critical FortiOS weakness is exploited here: when devices are upgraded from older versions, administrator passwords remain stored as weak SHA-256 hashes until the administrator manually logs in after the upgrade. Fortinet only introduced PBKDF2-based password hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1 — existing hashes on upgraded devices do not automatically migrate.
Stage 5 — Lateral Movement and Exfiltration
- Active Directory lateral movement using cracked hashes
- Exfiltration from network shares
- Persistent access maintained via stolen session cookies
- Tunneling via Chisel and Neo-reGeorg
The system is self-sustaining: credentials captured via FortigateSniffer feed back into the scanner to compromise additional devices automatically.
Scale and Impact
| Metric | Value |
|---|---|
| FortiGate devices targeted | 430,000–437,000 |
| Confirmed valid credentials | 86,644 |
| Unique domains affected | 22,405 |
| Credentials captured via sniffer | 110 million+ |
| Active credential-harvesting pipelines | 650+ |
| Countries affected | 194 |
| Campaign infrastructure servers | 260+ |
Top targeted sectors: Telecommunications (5,616 entries), Government (591 entries), Banking, Healthcare, Energy, and Critical Infrastructure.
Key incident: On June 15, 2026, the attackers successfully cracked Kerberos hashes and exfiltrated DFS backup data from a NATO-aligned defense contractor.
CVEs Referenced
FortiBleed has no root-cause CVE — it exploits credential reuse and brute force, not a software vulnerability. However, two FortiClient EMS vulnerabilities were found under active exploitation during the same period:
- CVE-2026-21643 — FortiClient EMS (details under active investigation)
- CVE-2026-35616 — Unauthenticated API authentication bypass in FortiClient EMS 7.4.5 and 7.4.6
Recommended Mitigations
- Rotate all FortiGate admin and SSL VPN credentials immediately — treat any exposed device as fully compromised
- Enable MFA on all remote and administrative access paths
- Remove FortiGate management interfaces from the public internet — restrict to dedicated management networks
- Audit logs for unauthorized logins, new account creation, configuration changes, or disabled logging
- Upgrade to FortiOS 7.2.11, 7.4.8, or 7.6.1 for PBKDF2 password hashing — after upgrading, each administrator must log in once to trigger hash migration
- If any indicators are found, engage IR immediately — passive monitoring is insufficient given the depth of access the toolchain provides
The FortiBleed dataset began circulating in criminal underground forums in mid-June 2026. CISA issued a hardening alert on June 18. Fortinet characterized the campaign on June 22 as credential reuse and brute force — not a product vulnerability.