Could the FortiBleed breach have been prevented?

Yes, implementing strong password policies, regular credential updates, and enforcing multi-factor authentication could have mitigated the risk of such a breach.

What immediate actions should organizations take in response to FortiBleed?

Organizations should rotate all credentials tied to Fortinet devices, enforce multi-factor authentication, remove management interfaces from direct internet exposure, and review logs for suspicious activity.

FortiBleed: Massive Credential Exposure in Fortinet Firewalls

Discover how the FortiBleed campaign compromised over 86,000 Fortinet firewalls, exposing 110 million credentials globally, and learn steps to secure your organization.

Published: June 23, 2026

Share this on:

Executive Summary

In June 2026, the 'FortiBleed' campaign emerged as a significant cybersecurity threat, compromising over 86,000 Fortinet FortiGate firewalls across 194 countries. Attackers utilized a Golang-based tool, FortigateSniffer, to exploit default credentials and weak password practices, turning these devices into passive credential collectors across 24 authentication protocols. This led to the exposure of approximately 110 million credentials, affecting major corporations and government agencies worldwide.

The incident underscores the critical importance of robust password policies and the implementation of multi-factor authentication (MFA). Organizations are urged to review and enhance their security measures to prevent similar breaches, as reliance on default credentials and inadequate password management continue to be exploited by threat actors.

Why This Matters Now

The FortiBleed campaign highlights the ongoing risks associated with default credentials and weak password practices, emphasizing the urgent need for organizations to implement robust authentication measures and regular security audits to prevent such widespread breaches.

Attack Path Analysis

Attackers scanned the internet for exposed FortiGate firewalls, using credential-stuffing and brute-force attacks to gain access. They deployed a Golang-based sniffer tool to capture authentication traffic, extracting credentials across multiple protocols. Utilizing the stolen credentials, they moved laterally within networks, accessing sensitive systems. The attackers established command and control channels to maintain persistent access. They exfiltrated over 110 million credentials, including RADIUS, NTLM, and Kerberos data. The stolen credentials were used for further attacks, including ransomware and data extortion.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

High

Command & Control

Medium

Exfiltration

High

Impact

Medium

Initial Compromise

Description

Attackers scanned the internet for exposed FortiGate firewalls and used credential-stuffing and brute-force attacks to gain access.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Credential Access

T1110

Brute Force

Credential Access

T1040

Network Sniffing

Credential Access

T1552

Unsecured Credentials

Command and Control

T1071

Application Layer Protocol

Lateral Movement

T1021

Remote Services

Credential Access

T1003

OS Credential Dumping

Defense Evasion

T1036

Masquerading

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Strong Authentication for Users

Control ID: 8.2.1

The attack exploited weak authentication mechanisms, leading to unauthorized access to sensitive systems.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident indicates deficiencies in the organization's cybersecurity policies, particularly in access control and monitoring.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights inadequate ICT risk management practices, exposing critical infrastructure to cyber threats.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The compromise of credentials suggests weaknesses in identity verification and access management controls.

NIS2 Directive – Security Measures

Control ID: Article 21

The incident reveals insufficient implementation of required security measures to protect network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer/Network Security

Critical exposure as FortiGate firewalls compromised in credential harvesting campaign affects security infrastructure, enabling lateral movement and policy enforcement bypass.

Information Technology/IT

Primary target sector for maximizing downstream access through credential stuffing attacks on administrative interfaces, affecting 430,000 FortiGate deployments globally.

Defense/Space

High-value NATO-aligned defense contractors breached via firewall credential harvesting, exposing classified systems to unauthorized access and potential espionage activities.

Financial Services

Banking systems vulnerable through compromised VPN credentials and authentication protocols including RADIUS, NTLM, enabling unauthorized access to sensitive financial data.

Sources

FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persisthttps://www.darkreading.com/cyberattacks-data-breaches/fortibleed-attackers-firewalls-credentials-stealers
Verified

FortiBleed campaign exposes 75,000 Fortinet firewalls worldwidehttps://www.networkworld.com/article/4186794/fortibleed-campaign-exposes-75000-fortinet-firewalls-worldwide-2.html

Verified

FortiBleed: What the Fortinet Firewall Credential Campaign Means for SMBs in Canada and the UShttps://cyberunit.com/insights/fortibleed-fortinet-firewall-vpn-credential-attack/

Verified

Frequently Asked Questions

The campaign revealed significant lapses in password management and the absence of multi-factor authentication, highlighting the need for adherence to security best practices and compliance standards.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have significantly limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit exposed firewalls may have been constrained by enforcing strict access controls and continuous verification at every workload boundary.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The deployment of unauthorized tools may have been restricted by enforcing identity-based policies that limit workload interactions.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement within the network could have been limited by enforcing east-west traffic controls that restrict unauthorized inter-workload communication.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The establishment of command and control channels may have been detected and disrupted by providing comprehensive visibility and control over multicloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The exfiltration of sensitive credentials could have been constrained by enforcing strict egress policies that monitor and control outbound data flows.

Impact (Mitigations)

The scope of subsequent attacks using stolen credentials could have been reduced by limiting the initial data exfiltration and lateral movement within the network.

Impact at a Glance

Affected Business Functions

Network Security Management
Remote Access Services
User Authentication Systems

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Compromised credentials for approximately 75,000 Fortinet firewall devices, including usernames, email addresses, and plaintext passwords.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement within the network.
• Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic.
• Deploy Inline IPS (Suricata) to detect and prevent intrusion attempts.
• Utilize Threat Detection & Anomaly Response to identify and respond to suspicious activities.
• Ensure Encrypted Traffic (HPE) to protect data in transit from interception.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

FortiBleed: Massive Credential Exposure in Fortinet Firewalls

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Valid Accounts

Brute Force

Network Sniffing

Unsecured Credentials

Application Layer Protocol

Remote Services

OS Credential Dumping

Masquerading

Potential Compliance Exposure

PCI DSS 4.0 – Strong Authentication for Users

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Security Measures

Sector Implications

Computer/Network Security

Information Technology/IT

Defense/Space

Financial Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads