Executive Summary
In June 2026, a Russian-speaking initial access broker initiated 'FortiBleed,' a large-scale credential-harvesting operation targeting over 430,000 FortiGate firewalls globally. The campaign involved deploying custom sniffers on compromised devices to capture cleartext and hashed credentials, which were then used to infiltrate Active Directory domains and other services.
This incident underscores the critical need for organizations to secure their network devices, as attackers increasingly exploit firewall vulnerabilities to gain unauthorized access. The widespread impact of FortiBleed highlights the importance of regular security assessments and prompt patch management.
Why This Matters Now
The FortiBleed campaign demonstrates a significant shift in cyberattack strategies, with threat actors leveraging firewall vulnerabilities to harvest credentials at scale. Organizations must prioritize securing their network infrastructure to prevent similar breaches.
Attack Path Analysis
The FortiBleed campaign began with attackers scanning the internet for exposed FortiGate firewalls and using brute-force techniques to gain access. Once inside, they deployed a custom sniffer tool to capture authentication credentials from network traffic. These credentials were then used to move laterally within networks, targeting Active Directory domains and other services. The attackers established command and control by maintaining persistent access through compromised credentials. They exfiltrated over 110 million credentials, including RADIUS, NTLM, and Kerberos hashes. The impact was widespread, affecting organizations across 194 countries and compromising sensitive data.
Kill Chain Progression
Initial Compromise
Description
Attackers performed widespread reconnaissance to identify exposed FortiGate firewalls and used brute-force attacks to gain administrative access.
Related CVEs
CVE-2025-59718
CVSS 9.8An authentication bypass vulnerability in Fortinet's FortiGate devices allows unauthenticated attackers to perform administrative operations via crafted SAML messages.
Affected Products:
Fortinet FortiGate – Affected versions prior to patch
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8A critical authentication bypass vulnerability in Fortinet's FortiGate devices enables unauthenticated attackers to gain administrative access through manipulated SAML messages.
Affected Products:
Fortinet FortiGate – Affected versions prior to patch
Exploit Status:
exploited in the wildCVE-2026-24858
CVSS 9.8A zero-day vulnerability in Fortinet's FortiGate devices allows attackers to log in using separate accounts, leading to unauthorized access.
Affected Products:
Fortinet FortiGate – Affected versions prior to patch
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Brute Force
Valid Accounts
Network Sniffing
Unsecured Credentials: Credentials in Files
Application Layer Protocol: Web Protocols
Remote Services: Remote Desktop Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Password Security
Control ID: 8.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Zero Trust Architecture
Control ID: Identity and Access Management
NIS2 Directive – Security Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
FortiBleed's credential harvesting of 430,000 FortiGate firewalls threatens financial institutions' critical infrastructure, requiring enhanced egress security and zero trust segmentation compliance.
Health Care / Life Sciences
Healthcare networks face severe HIPAA compliance violations from FortiBleed's brute-force attacks on firewall credentials, demanding immediate east-west traffic security implementations.
Government Administration
Government agencies critically exposed to FortiBleed's Russian-speaking IAB operations targeting firewall infrastructure, necessitating multicloud visibility and threat detection capabilities enhancement.
Information Technology/IT
IT sector infrastructure directly targeted by FortiBleed's systematic credential harvesting campaign, requiring comprehensive inline IPS and cloud native security fabric deployments.
Sources
- FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operationhttps://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.htmlVerified
- Fortinet patches FortiGate Firewall vulnerabilities that allowed hackers to steal enterprise credentialshttps://www.techradar.com/pro/security/fortinet-patches-fortigate-firewall-vulnerabilities-that-allowed-hackers-to-steal-enterprise-credentialsVerified
- Critical FortiGate SSO Vulnerability Actively Exploited in the Wildhttps://cyberpress.org/fortigate-sso-vulnerability/Verified
- FortiBleed Attackers Turn Firewalls Into Credential Stealershttps://www.darkreading.com/cyberattacks-data-breaches/fortibleed-attackers-firewalls-credentials-stealersVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the FortiBleed incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit exposed firewalls may have been constrained, reducing the likelihood of unauthorized administrative access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to deploy tools for credential harvesting may have been limited, reducing the risk of privilege escalation.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network may have been constrained, reducing the risk of widespread internal access.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent control over systems may have been limited, reducing the risk of prolonged unauthorized access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate large volumes of sensitive data may have been constrained, reducing the risk of data loss.
The overall impact of the attack may have been reduced, limiting the scope of data compromise and subsequent risks to customer environments.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- User Authentication Services
- Remote Access VPN
Estimated downtime: 14 days
Estimated loss: $5,000,000
Compromised credentials of approximately 75,000 Fortinet firewall users, including major corporations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Multi-Factor Authentication (MFA) for all administrative access to prevent unauthorized access.
- • Deploy Zero Trust Segmentation to limit lateral movement within the network.
- • Utilize Encrypted Traffic (HPE) to protect data in transit and prevent credential interception.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly audit and update access controls and credentials to minimize the risk of credential-based attacks.
