Executive Summary
In June 2026, a large-scale credential theft campaign, dubbed "FortiBleed," targeted Fortinet devices, compromising approximately 75,000 firewalls and VPNs globally. Attackers employed password spraying techniques using curated lists from previous breaches to gain unauthorized access. Once inside, they extracted configuration files and credentials, enabling further exploitation and persistence within affected networks. Notably, major corporations such as Chevron, Samsung, and Toyota were impacted, with some organizations experiencing full network infiltration and data exfiltration.
This incident underscores the escalating threat of credential-based attacks and highlights the critical need for robust security measures. Organizations must prioritize implementing multi-factor authentication, regularly updating credentials, and monitoring for unauthorized access to mitigate such risks.
Why This Matters Now
The FortiBleed campaign exemplifies the increasing sophistication and scale of credential theft attacks, emphasizing the urgency for organizations to strengthen their security postures to prevent unauthorized access and potential data breaches.
Attack Path Analysis
Attackers initiated a large-scale password spraying campaign targeting Fortinet, Sophos, and MSSQL services exposed to the internet. Upon successful access, they extracted device configurations containing stored credentials. These credentials were then cracked offline and added to their password list for future attacks. The attackers established persistent, high-privilege access to compromised devices. They likely exfiltrated sensitive data from these devices. The campaign's impact included unauthorized access to critical systems and potential data breaches.
Kill Chain Progression
Initial Compromise
Description
Attackers conducted massive internet-wide scanning and password spraying against Fortinet, Sophos, and MSSQL services to gain initial access.
Related CVEs
CVE-2025-59718
CVSS 9.8An authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiOS – < 7.0.12, < 7.2.5
Fortinet FortiProxy – < 7.0.12, < 7.2.5
Fortinet FortiSwitchManager – < 7.2.2
Exploit Status:
exploited in the wildCVE-2025-59719
CVSS 9.8An authentication bypass vulnerability in FortiWeb allows unauthenticated remote attackers to gain administrative access via crafted SAML messages.
Affected Products:
Fortinet FortiWeb – < 7.0.7, < 7.2.2
Exploit Status:
exploited in the wildCVE-2026-24858
CVSS 9.8An authentication bypass vulnerability in Fortinet's cloud SSO allows unauthenticated remote attackers to gain administrative access.
Affected Products:
Fortinet FortiAnalyzer – Affected
Fortinet FortiManager – Affected
Fortinet FortiOS – Affected
Fortinet FortiProxy – Affected
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Password Spraying
Valid Accounts
Credentials in Files
OS Credential Dumping
Domain Accounts
Local Accounts
Cloud Accounts
Password Guessing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Large-scale credential attacks targeting internet-exposed services pose critical risks to financial infrastructure, requiring enhanced MFA and Zero Trust segmentation for regulatory compliance.
Health Care / Life Sciences
FortiBleed password spraying campaign threatens healthcare networks with patient data exposure, demanding immediate hardening of edge devices and HIPAA compliance controls.
Government Administration
Credential theft operations against government firewall infrastructure create national security risks, necessitating privileged access management and encrypted traffic protection capabilities.
Computer/Network Security
Security vendors face reputational damage from credential compromise campaigns, requiring robust egress filtering and anomaly detection to protect client trust and operations.
Sources
- Threat Brief: Mitigating Large-Scale Credential Attackshttps://unit42.paloaltonetworks.com/large-scale-credential-attacks/Verified
- FortiBleed 2026: 86,644 Fortinet Firewalls Compromised — Active Leakhttps://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/Verified
- Fortinet firewalls hit by huge password-stealing attack - around 75,000 users possibly affectedhttps://www.techradar.com/pro/security/fortinet-firewalls-hit-by-huge-password-stealing-attack-around-75-000-users-possibly-affectedVerified
- Passwords nicked for nearly 74,000 Fortinet deviceshttps://www.itpro.com/security/passwords-nicked-for-nearly-74-000-fortinet-devicesVerified
- Critical vulnerabilities in Fortinet CVE-2025-59718, CVE-2025-59719 exploited in the wildhttps://www.rapid7.com/blog/post/etr-critical-vulnerabilities-in-fortinet-cve-2025-59718-cve-2025-59719-exploited-in-the-wild/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit exposed services may be constrained by enforcing strict access controls and reducing the attack surface.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may be constrained by enforcing strict segmentation and limiting access to sensitive configurations.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally may be constrained by enforcing east-west traffic controls and limiting inter-workload communication.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may be constrained by enforcing strict access controls and monitoring outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data may be constrained by enforcing egress controls and monitoring outbound data transfers.
The overall impact of the attack may be constrained by limiting unauthorized access and reducing the blast radius through strict segmentation and access controls.
Impact at a Glance
Affected Business Functions
- Network Security Operations
- Remote Access Services
- Data Protection
Estimated downtime: 14 days
Estimated loss: $5,000,000
Compromised credentials of approximately 74,000 Fortinet devices, including usernames, emails, and plaintext passwords from major corporations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement multi-factor authentication (MFA) for all remote services to prevent unauthorized access.
- • Adopt Zero Trust Network Access (ZTNA) policies to ensure management interfaces are not exposed directly to the public internet.
- • Regularly change default credentials and enforce complex password policies to mitigate password guessing attacks.
- • Disable unused accounts to reduce the attack surface.
- • Keep software and firmware up to date to protect against known vulnerabilities, including privilege escalation exploits.
