FortiBleed : 75 000 compromised firewalls

Loïc Castel
Jun 18
2 min read

Key takeaways

In mid-June 2026, researchers disclosed a database of valid admin and VPN credentials for roughly 75,000 Fortinet firewalls (FortiGate / SSL-VPN), spread across 194 countries. Despite its name, FortiBleed is not a new Heartbleed-style vulnerability: it's an industrial-scale credential theft and recycling campaign. The root cause isn't technical — it's a failure of password hygiene.

Source : https://www.hudsonrock.com/blog/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure

If you run FortiGate devices exposed to the internet, assume you are potentially affected.

The impact here is the presence of major names in this list of valid accounts: Spotify, Foxconn, Samsung, Lenovo, Accenture, and more.

How it works

The mechanism is a self-feeding loop:

Attackers scan the internet for exposed FortiGate devices.
They test already-stolen credentials (past Fortinet leaks + infostealer logs) against each device.
Every successful login is logged, and the device then serves as a listening post to harvest fresh credentials.
Those new credentials feed the scanner again.

An example of the leaked database, showing valid accounts - Source : https://www.hudsonrock.com/blog/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure

The key point: password complexity made no difference. A 20-character password captured in cleartext by an infostealer on an employee's workstation is simply replayed as-is. On older FortiOS versions, the admin hashes (SHA-256) were also cracked offline on a GPU cluster.

Complex passwords spotted - Source : https://www.hudsonrock.com/blog/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosure

Should I be worried?

Fortinet describes this as a re-sharing of data from past incidents plus brute-forcing, meaning low risk for those following best practices. Several researchers (including Kevin Beaumont) argue the opposite — that the data is recent and largely new, with elements that could only come from exfiltrated configurations.

The exact extraction vector remains unknown to date.

Among the organizations appearing in the dataset, telecoms, the public sector, large industrial groups, and IT services rank at the top. Your organization's presence in the list means attackers have working credentials — not necessarily a confirmed intrusion.

What you should do

Right away (within 24 hours):

Check your exposure (free Hudson Rock and SOCRadar portals — Safercy also has a list).
Change all admin and VPN credentials.
Remove FortiGate admin interfaces from the internet.
Enable MFA everywhere — it's the only control that breaks the replay of stolen credentials.

Shortly after (post-remediation):

Update FortiOS (≥ 7.2.11 / 7.4.8 / 7.6.1) and force every admin to reconnect to re-hash passwords.
Rotate the service credentials present in configs (LDAP, RADIUS, pre-shared keys).
Hunt for persistence: unexpected admin accounts, overly permissive firewall rules, logins from unusual geographies.

How Safercy can help

Leak detection (SaferFind): we continuously monitor whether your credentials are circulating in infostealer feeds and on criminal forums — exactly the supply chain that fed FortiBleed. Link: https://www.safercy.com/saferfind-cti-dark-web-monitoring
Incident response (IR): if unauthorized access is suspected, we step in to scope the compromise, eradicate persistence, and restore a clean state. Link: https://www.safercy.com/reponse-a-incident
Pentest: we concretely test the exposure of your edge devices and the strength of your remote access — before someone else does. Link: https://www.safercy.com/pentest-tests-d-intrusion

Using Fortinet firewalls and want to know where you stand? Contact us for a quick review.