How did attackers gain access in the FortiBleed campaign?

Attackers initially gained administrative access through credential stuffing and brute-force attacks, then deployed a custom tool to intercept and extract authentication credentials from network traffic.

What measures can organizations take to protect against similar attacks?

Organizations should implement multi-factor authentication, regularly update credentials, monitor network traffic for unauthorized activities, and ensure firewalls are configured securely to prevent unauthorized access.

FortiBleed Campaign: A Wake-Up Call for Network Security

Discover how the FortiBleed campaign exploited FortiGate firewalls and learn essential strategies to safeguard your network against similar threats.

Published: June 23, 2026

Share this on:

Executive Summary

In June 2026, the FortiBleed campaign targeted over 430,000 Fortinet FortiGate firewalls globally, employing a custom Golang-based tool named 'FortigateSniffer' to intercept and extract authentication credentials from network traffic. Attackers initially gained administrative access through credential stuffing and brute-force attacks, subsequently deploying the sniffer to monitor 24 protocols, including RADIUS, NTLM, Kerberos, and LDAP, thereby harvesting sensitive authentication data.

This incident underscores the escalating sophistication of cyber threats, highlighting the critical need for organizations to implement robust security measures such as multi-factor authentication, regular credential updates, and vigilant monitoring of network traffic to detect unauthorized activities.

Why This Matters Now

The FortiBleed campaign exemplifies the increasing complexity of cyberattacks targeting critical infrastructure, emphasizing the urgency for organizations to enhance their security protocols and remain vigilant against evolving threats.

Attack Path Analysis

Attackers initiated the FortiBleed campaign by exploiting weak or reused credentials to gain unauthorized access to Fortinet FortiGate devices. Once inside, they escalated privileges to deploy a custom sniffer tool, FortigateSniffer, which captured authentication data from network traffic. This allowed them to move laterally within the network, accessing additional systems and services. They established command and control channels to exfiltrate the harvested credentials and other sensitive data. The exfiltrated data was then used to compromise further systems or sold on underground markets. The impact included unauthorized access to sensitive information, potential data breaches, and operational disruptions.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

Attackers exploited weak or reused credentials to gain unauthorized access to Fortinet FortiGate devices.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Credential Access

T1110

Brute Force

Credential Access

T1040

Network Sniffing

Credential Access

T1003

OS Credential Dumping

Credential Access

T1552

Unsecured Credentials

Credential Access

T1111

Two-Factor Authentication Interception

Lateral Movement

T1021

Remote Services

Command and Control

T1071

Application Layer Protocol

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Multi-Factor Authentication

Control ID: 8.2.4

The attack exploited weak authentication mechanisms, highlighting the need for robust multi-factor authentication to protect against unauthorized access.

NYDFS 23 NYCRR 500 – Multi-Factor Authentication

Control ID: 500.12

The incident underscores the importance of implementing multi-factor authentication to prevent unauthorized access to sensitive systems and data.

DORA – ICT Risk Management Framework

Control ID: Article 6

The breach reveals deficiencies in the organization's ICT risk management framework, necessitating enhanced measures to identify and mitigate cyber threats.

CISA ZTMM 2.0 – Implement Strong Authentication Mechanisms

Control ID: Identity and Access Management

The compromise of credentials indicates a need for stronger authentication mechanisms within the organization's identity and access management practices.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident highlights the necessity for comprehensive cybersecurity risk management measures to protect network and information systems from unauthorized access.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

FortiBleed credential harvesting targeting 430,000+ FortiGate devices threatens banking networks through VPN compromise, RADIUS authentication theft, and potential regulatory violations under multiple compliance frameworks.

Health Care / Life Sciences

Healthcare organizations face critical HIPAA compliance violations as FortiGate sniffers capture unencrypted authentication traffic, potentially exposing patient data through compromised VPN credentials and lateral movement.

Government Administration

Government agencies utilizing FortiGate firewalls face severe security breaches through credential stuffing attacks, with NIST compliance violations and potential national security implications from stolen authentication materials.

Information Technology/IT

IT service providers managing FortiGate infrastructure for clients face widespread credential compromise affecting multiple organizations, requiring immediate traffic inspection and zero trust segmentation implementation across all deployments.

Sources

FortiBleed campaign used custom FortiGate sniffer to steal credentialshttps://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/
Verified

FortiBleed: What the Fortinet Firewall Credential Campaign Means for SMBs in Canada and the UShttps://cyberunit.com/insights/fortibleed-fortinet-firewall-vpn-credential-attack/

Verified

CISA Urges Hardening Fortinet Devices After Reports of Credential Exposurehttps://www.defendedge.com/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposure/

Verified

Frequently Asked Questions

The FortiBleed campaign is a large-scale cyberattack identified in June 2026, targeting over 430,000 Fortinet FortiGate firewalls worldwide to harvest authentication credentials using a custom sniffer tool.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to the FortiBleed incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to access critical workloads would likely be limited, reducing the potential for unauthorized entry.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges would likely be constrained, limiting their capacity to deploy malicious tools.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely be restricted, reducing their ability to access additional systems.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing the risk of data exfiltration.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts would likely be limited, reducing the potential for data breaches.

Impact (Mitigations)

The overall impact of the attack would likely be reduced, limiting unauthorized access and operational disruptions.

Impact at a Glance

Affected Business Functions

Network Security Management
Remote Access Services
User Authentication Systems

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Administrator credentials for over 73,000 Fortinet FortiGate firewalls, including usernames, email addresses, and plaintext passwords.

Recommended Actions

• Implement strong, unique passwords and enforce multi-factor authentication (MFA) to prevent unauthorized access.
• Deploy inline intrusion prevention systems (IPS) to detect and block malicious activities in real-time.
• Utilize zero trust segmentation to limit lateral movement within the network.
• Establish comprehensive monitoring and anomaly detection to identify and respond to suspicious activities promptly.
• Regularly update and patch systems to mitigate vulnerabilities and reduce the attack surface.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

FortiBleed Campaign: A Wake-Up Call for Network Security

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Valid Accounts

Brute Force

Network Sniffing

OS Credential Dumping

Unsecured Credentials

Two-Factor Authentication Interception

Remote Services

Application Layer Protocol

Potential Compliance Exposure

PCI DSS 4.0 – Multi-Factor Authentication

NYDFS 23 NYCRR 500 – Multi-Factor Authentication

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Implement Strong Authentication Mechanisms

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Government Administration

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads