Executive Summary
In June 2026, a significant cybersecurity incident known as 'FortiBleed' was uncovered, exposing nearly 74,000 Fortinet firewall and VPN credentials. Security researcher Volodymyr 'Bob' Diachenko discovered a server containing valid Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords for 73,932 firewall URLs worldwide. The exposed data also included organizational details such as industry, revenue, and employee count, suggesting the information was compiled to facilitate future attacks. Threat intelligence company Hudson Rock described this as one of the largest known collections of compromised Fortinet credentials, spanning 21,632 unique domains across 194 countries.
The 'FortiBleed' incident underscores the critical importance of securing network devices against credential-based attacks. Organizations are urged to implement robust password policies, enable multifactor authentication, and regularly monitor for unauthorized access to mitigate such threats.
Why This Matters Now
The 'FortiBleed' incident highlights the ongoing risk of credential-based attacks on critical infrastructure. With nearly 74,000 Fortinet devices compromised, organizations must urgently review and strengthen their security measures to prevent unauthorized access and potential data breaches.
Attack Path Analysis
Attackers exploited exposed Fortinet device credentials to gain initial access, escalated privileges by leveraging administrative accounts, moved laterally within networks to access sensitive systems, established command and control channels to maintain persistence, exfiltrated data through encrypted channels, and caused significant operational disruptions.
Kill Chain Progression
Initial Compromise
Description
Attackers used compromised credentials from the FortiBleed leak to access internet-facing Fortinet devices.
Related CVEs
CVE-2022-42475
CVSS 9.3A heap-based buffer overflow vulnerability in Fortinet's FortiOS SSL-VPN allows unauthenticated remote attackers to execute arbitrary code via crafted requests.
Affected Products:
Fortinet FortiOS – 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier
Fortinet FortiProxy – 7.2.0 through 7.2.1, 7.0.7 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Brute Force
Credentials from Password Stores
Application Layer Protocol
Remote Services
Network Sniffing
Account Discovery
Indicator Removal on Host
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
CISA alert confirms credential harvesting attacks targeting government Fortinet devices, requiring immediate session termination and password resets across federal infrastructure.
Telecommunications
FortiBleed exposed VPN credentials for major telecom providers including AT&T and Comcast, enabling lateral movement through critical communication infrastructure networks.
Health Care / Life Sciences
Healthcare organizations face HIPAA compliance violations from compromised Fortinet firewalls allowing unauthorized access to protected health information and patient data.
Financial Services
Financial institutions affected by credential exposure face regulatory scrutiny and potential data exfiltration through compromised VPN gateways protecting sensitive financial data.
Sources
- CISA warns Fortinet users to secure devices after FortiBleed leakhttps://www.bleepingcomputer.com/news/security/cisa-warns-fortinet-users-to-secure-devices-after-fortibleed-leak/Verified
- Fortinet firewalls hit by huge password-stealing attack - around 75,000 users possibly affectedhttps://www.techradar.com/pro/security/fortinet-firewalls-hit-by-huge-password-stealing-attack-around-75-000-users-possibly-affectedVerified
- Malicious Actor Discloses FortiGate SSL-VPN Credentialshttps://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentialsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial access may still occur, the attacker's ability to exploit this access would likely be constrained, reducing the potential for further malicious activity.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing the scope of their access within the network.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally would likely be constrained, reducing their reach to other systems and sensitive data.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained, reducing their persistence within the network.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data would likely be constrained, reducing the risk of data loss.
The overall impact of the attack would likely be constrained, reducing operational disruptions and data breaches.
Impact at a Glance
Affected Business Functions
- Network Security Management
- Remote Access Services
- Data Protection
- Compliance Monitoring
Estimated downtime: N/A
Estimated loss: N/A
Compromised credentials for approximately 74,000 Fortinet devices, including usernames, email addresses, and plaintext passwords.
Recommended Actions
Key Takeaways & Next Steps
- • Implement phishing-resistant multifactor authentication (MFA) to prevent unauthorized access.
- • Regularly audit and restrict administrative privileges to minimize potential escalation paths.
- • Deploy network segmentation to limit lateral movement within the network.
- • Monitor and control outbound traffic to detect and prevent unauthorized data exfiltration.
- • Establish comprehensive logging and threat detection mechanisms to identify and respond to suspicious activities promptly.
