Fortinet has issued a response regarding a large-scale credential-harvesting threat known as the FortiBleed campaign, which is currently impacting its firewalls and VPNs globally. The cybersecurity firm clarified that the campaign does not stem from any newly discovered vulnerabilities in its systems.
Understanding the FortiBleed Campaign
The FortiBleed operation has compiled an extensive database containing over 86,000 verified credentials from Fortinet devices in 194 nations. According to Fortinet, the attack involves reusing credentials from previous breaches and utilizing brute-force methods on systems with weak passwords and lacking multi-factor authentication (MFA).
These previous breaches exploited specific FortiCloud SSO login flaws, namely CVE-2026-24858, patched earlier this year, and CVE-2025-59718 and CVE-2025-59719, addressed last December. Fortinet had provided guidance on these issues and continues to urge customers to follow these remediation steps.
Impact and Guidance for Fortinet Users
In March, Fortinet had highlighted the use of AI by threat actors to automate the identification of targets and execute password spraying attacks against inadequately secured edge devices. The FortiBleed campaign employs similar tactics, yet it is not tied to any new vulnerabilities in Fortinet’s products.
Fortinet has taken action by identifying potentially compromised systems, notifying affected customers, and collaborating with law enforcement for an in-depth investigation. Customers with compromised FortiGate devices are advised to take specific security measures to safeguard their systems.
Recommended Security Measures
To protect against this threat, customers should end active admin and VPN sessions, refresh their credentials, enable MFA for all admin and VPN accounts, and upgrade to the latest software that supports PBKDF2 hashing for securing admin credentials. Additionally, reviewing firewall and VPN configurations for unauthorized changes is crucial.
Monitoring logs for unusual admin access and limiting external management to trusted hosts can further minimize the risk of attack. Implementing these strategies is essential for maintaining the security and integrity of network systems against ongoing threats.
Related topics include the implications of the CryptoBandits malware, which functions as a backdoor while exploiting Tor, and recent vulnerabilities patched in Fortinet and Ivanti products.
