The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to users of Fortinet’s FortiGate devices, urging them to enhance their security measures against an active threat campaign. This advisory comes in response to the discovery of a large-scale cyberattack named FortiBleed, which has compromised 86,644 devices as of June 19, 2026.
The FortiBleed Campaign: An Overview
Attributed to a group of Russian-speaking hackers, FortiBleed has primarily targeted Fortinet systems through internet-exposed devices. Data from SOCRadar indicates a significant portion of compromised credentials are generic admin accounts (35%) and built-in Fortinet system accounts (28.3%). Organization-specific credentials account for the remaining 36.7%, suggesting a widespread failure to update default settings, providing attackers with easy targets.
These compromised credentials highlight the importance of changing default account names and regularly rotating passwords. A notable proportion of affected accounts were organization-specific, which implies that attackers have not only targeted default credentials but have also exploited accounts created by the institutions themselves, possibly from past breaches where credentials were not updated.
Targeted Industries and Attack Methodology
The most affected sectors include telecommunications, government, and education, with significant impacts observed in countries such as India, the United States, Mexico, Colombia, and Thailand. The attackers are known to have conducted mass scans for Fortinet remote login endpoints, using a custom-built tool to attempt entry with known password combinations.
This sophisticated attack is automated and follows a two-step method. Initially, attackers try a list of leaked Fortinet passwords on devices globally. If access is gained, they then quietly observe network traffic to gather more credentials, further extending their reach by compromising additional devices.
Preventive Measures and Recommendations
In light of this breach, the U.K. National Cyber Security Centre (NCSC) has classified FortiBleed as a worldwide campaign against Fortinet firewalls and VPN gateways, employing tactics such as brute-force and credential stuffing. It is suspected that the attackers exploited older credential hashing methods used in FortiGate configurations.
Fortinet has recently updated its systems to use PBKDF2-based password hashing, replacing the older SHA-256 mechanism. However, many systems still operate with outdated credentials, leaving them vulnerable. Fortinet advises organizations to adhere to best practices, including regular password rotations and enabling multi-factor authentication.
To counteract these threats, CISA has provided several recommendations: terminate active SSL VPN and administrative sessions, reset passwords on internet-facing systems, enforce robust password policies, and utilize the PBKDF2 algorithm for storing credentials. Monitoring logs for unauthorized activity and enabling phishing-resistant multi-factor authentication are also crucial steps.
This incident was initially uncovered by security researcher Volodymyr Diachenko, who found a server containing thousands of login credentials for firewalls and VPNs across 194 countries. The server also hosted the attackers’ tools and scripts, illustrating the potential for credential reuse and poor password hygiene to be exploited by cybercriminals.
The FortiBleed attack underscores the critical need for rigorous cybersecurity measures and highlights the ongoing risk perimeter devices pose as entry points for attackers.
