Executive Summary
In June 2026, a significant data breach known as 'FortiBleed' exposed VPN credentials for approximately 73,000 Fortinet devices worldwide. Security researcher Bob Diachenko discovered a server containing valid Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords. The leaked data encompassed entries from major organizations such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, Toyota, Sinopec, and State Grid. The breach was attributed to a Russian-speaking threat group that conducted extensive credential harvesting campaigns against FortiGate SSL VPN devices, leading to unauthorized access and potential lateral movement within affected networks.
This incident underscores the escalating threat posed by sophisticated cyber actors targeting critical infrastructure through credential harvesting and exploitation of VPN vulnerabilities. Organizations are urged to implement robust security measures, including regular credential rotation, enforcement of multi-factor authentication, and continuous monitoring for unauthorized access attempts, to mitigate the risk of similar breaches.
Why This Matters Now
The FortiBleed incident highlights the urgent need for organizations to secure their VPN infrastructures against increasingly sophisticated credential harvesting attacks, emphasizing the importance of proactive security measures and vigilance in protecting sensitive access credentials.
Attack Path Analysis
Attackers obtained Fortinet VPN credentials for 73,932 devices, enabling unauthorized access. They escalated privileges within compromised networks, moved laterally to internal systems, established command and control channels, exfiltrated sensitive data, and caused significant operational impact.
Kill Chain Progression
Initial Compromise
Description
Attackers obtained valid Fortinet VPN credentials for 73,932 devices, enabling unauthorized access to these networks.
Related CVEs
CVE-2022-42475
CVSS 9.3A heap-based buffer overflow vulnerability in Fortinet's FortiOS SSL-VPN allows unauthenticated remote attackers to execute arbitrary code.
Affected Products:
Fortinet FortiOS – 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier
Exploit Status:
exploited in the wildCVE-2018-13379
CVSS 9.8A path traversal vulnerability in Fortinet's FortiOS SSL-VPN web portal allows unauthenticated attackers to download system files, including passwords.
Affected Products:
Fortinet FortiOS – 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, 5.4.6 to 5.4.12
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Brute Force
Unsecured Credentials
Application Layer Protocol
Remote Services
OS Credential Dumping
Domain Accounts
Local Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity Governance
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Critical infrastructure exposed through compromised Fortinet VPN credentials enabling unauthorized access to classified systems and sensitive government data across multiple agencies.
Financial Services
Banking and financial institutions face credential harvesting attacks on VPN infrastructure, risking customer data exposure and regulatory compliance violations under PCI standards.
Telecommunications
Network operators experiencing widespread VPN credential compromise affecting service delivery infrastructure and enabling potential lateral movement across telecommunications backbone systems.
Health Care / Life Sciences
Healthcare providers vulnerable to credential-based attacks on VPN systems protecting patient data, creating HIPAA compliance risks and potential medical record exposure.
Sources
- FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/Verified
- Malicious Actor Discloses FortiGate SSL-VPN Credentialshttps://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentialsVerified
- Suspected user credentials stolen from FortiNet devices leaked onlinehttps://www.cyber.gov.au/about-us/alerts/suspected-user-credentials-stolen-fortinet-devices-leaked-onlineVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit unauthorized access, constrain lateral movement, and reduce data exfiltration by enforcing strict segmentation and identity-based policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Unauthorized access may be limited by enforcing strict identity-based policies and workload segmentation.
Control: Zero Trust Segmentation
Mitigation: Privilege escalation attempts could be constrained by limiting access to sensitive resources based on strict identity verification.
Control: East-West Traffic Security
Mitigation: Lateral movement may be restricted by segmenting workloads and enforcing east-west traffic controls.
Control: Multicloud Visibility & Control
Mitigation: Command and control channels could be detected and disrupted through enhanced visibility and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts may be mitigated by enforcing strict egress policies and monitoring outbound traffic.
Operational impact may be reduced by limiting the blast radius of attacks through strict segmentation and access controls.
Impact at a Glance
Affected Business Functions
- Network Security Management
- Remote Access Services
- User Authentication Systems
Estimated downtime: N/A
Estimated loss: N/A
Usernames, email addresses, and plaintext passwords for approximately 73,932 Fortinet VPN devices.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access and limit lateral movement within the network.
- • Enforce Multi-Factor Authentication (MFA) for VPN access to prevent unauthorized entry.
- • Deploy Inline Intrusion Prevention Systems (IPS) to detect and block malicious activities in real-time.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious behaviors promptly.
