The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to organizations to strengthen their Fortinet devices that are accessible via the internet. This follows a credential theft campaign, known as FortiBleed, which is estimated to have affected more than 86,000 firewalls and VPNs worldwide.
FortiBleed Campaign Unveiled
The FortiBleed campaign was identified earlier this week, initially flagged by SOCRadar. The security platform first estimated that over 30,000 Fortinet devices had been compromised, but that number has since increased to 86,000. The operation, uncovered in June 2026, has resulted in the assembly of a validated database containing over 86,644 working credentials from 194 countries, all extracted from Fortinet’s online infrastructure.
Attackers have amassed a collection of usernames and passwords, which have been tested using automated tools. Some of these credentials may have been exposed in earlier breaches but remained unchanged and therefore vulnerable.
Collaborative Verification Efforts
Security experts Kevin Beaumont and Hudson Rock have collaborated with some affected entities to validate the authenticity and currency of the compromised logins. Beaumont indicates that about half of all Fortinet firewalls accessible on the internet have been impacted, as per data from Shodan.
Bob Diachenko, another security researcher, attributes the orchestrated campaign to a Russian-speaking threat group. This operation has completely compromised at least four organizations by intercepting SSL VPN authentication, using a powerful 45-GPU cluster managed through Hashtopolis to crack password hashes, and infiltrating internal Active Directory systems.
Widespread Impact and Protective Measures
The scale of this attack is significant, with approximately 1.16 billion credential attempts directed at over 320,000 FortiGate targets and 2.1 billion brute-force attempts targeting more than 160,000 MSSQL servers. Hudson Rock reports that this campaign has impacted thousands of organizations, including vital government agencies and key infrastructure providers.
Cybersecurity firm Huntress also confirmed the widespread nature of the FortiBleed campaign, identifying 845 partner organizations specifically affected by the credential exposure. In response, CISA has advised Fortinet users to take several protective actions. These include ending active sessions, resetting credentials, employing the Password-Based Key Derivation Function 2 (PBKDF2) for storing admin passwords, scrutinizing logs for unusual activities, enabling phishing-resistant multi-factor authentication (MFA), and restricting management access to minimize the potential attack surface.
The cybersecurity landscape continues to be shaped by large-scale data breaches and credential thefts, highlighting the need for persistent vigilance and advanced security protocols to safeguard organizational assets.
