For months, the cybersecurity community has been tracking a sweeping, automated offensive targeting edge infrastructure. What began as an apparent wave of internet-wide scanning has solidified into one of the most significant security events of the year: FortiBleed.
A massive dataset containing verified administrative and SSL VPN credentials for more than 73,000 internet-facing Fortinet FortiGate firewalls across 194 countries has been leaked and circulated within criminal underground forums.
When news of the leak first broke, many chalked it up to a routine credential-stuffing automated pass. But as technical deep dives from Fortinet, SOCRadar, CloudSEK, Palo Alto Networks (Unit 42), and Prodaft have emerged, a chilling consensus has formed: as one industry analysis noted, "the incident is so much worse than a simple credentials leak."
Here is a breakdown of how the FortiBleed campaign was actually executed, what makes its underlying mechanics so dangerous, and how defense teams must respond.
The sheer scale of the FortiBleed dataset—affecting critical infrastructure, government agencies, and multinational corporations—stems from a highly sophisticated combination of massive brute-forcing and a deep understanding of legacy architectural edge quirks.
According to threat intelligence findings, a Russian-speaking threat group systematically executed a multi-layered campaign.
Mass volume probing: The actors launched roughly 1.16 billion credential attempts targeting over 320,000 FortiGate systems, concurrently running over 2 billion attempts against Microsoft SQL Server (MSSQL) environments.
Exploiting legacy hashes: Rather than relying entirely on live, noisy brute-forcing that triggers modern endpoint protection, the attackers targeted a specific, backward-compatible behavior within FortiOS credential management. When older versions of FortiOS are upgraded to newer releases, administrative passwords often remain stored as weaker legacy SHA-256 hashes until an administrator manually logs back in to trigger a migration to robust PBKDF2 hashing.
High-power offline cracking: By exporting configuration files and intercepting SSL VPN authentication hashes, the actors shifted the heavy lifting entirely offline. Operating a massive 45-GPU cracking cluster managed through Hashtopolis, they systematically broke these weak legacy hashes at scale without generating a single alert on the live production networks.
Fortinet provided its own analysis of the situation, saying, "This is not a new Fortinet vulnerability, and this activity is not related to any recent incident or advisory. Upon identifying the incident, we immediately began an investigation, including collaborating with relevant government agencies."
The company added:
"Fortinet has identified the potentially compromised systems, and we are proactively contacting impacted customers. To defend against this malicious cyber activity, Fortinet recommends that customers with impacted FortiGate appliances to immediately:
Terminate all admin and VPN sessions and reset credentials. Terminate all active administrative sessions. Reset all Fortinet VPN and administrative passwords, especially on internet-facing systems, and enforce strong password policies.
Implement MFA on all administrator and VPN user accounts.
Upgrade to latest versions of 7.4, 7.6, or 8.0. These versions support PBKDF2 hashing of administrator credentials. Follow the guidance to remove older legacy password settings via set login-lockout-upon-weaker-encryption.
Validate configuration. Review firewall and VPN users and other configuration for unauthorized changes. Preferably compare to a known good configuration. Pay particular attention to the addition of unrecognized accounts, such as "forticloud, fortiuser, fortinet-support, fortinet-tech-support," etc.
Check your logs. Look for unexpected administrator access from an unknown IP and domain controller logs for lateral movement, unusual access, suspicious accounts, or unauthorized configuration changes.
Reduce your attack surface and lock down management access. Restrict external management of your devices via trusted hosts (good), a local-in policy (better), or remove internet administration altogether (best)."
What elevates FortiBleed from a localized headache to a systemic threat is the tactical utility of the stolen data and what the attackers did after gaining initial entry.
As detailed by Prodaft and exposed in open-directory infrastructure captured by CloudSEK, once the threat actors verified working credentials, they didn't immediately drop disruptive ransomware. Instead, they automated the process of turning the compromised firewalls into traffic collection sites. The compromised edge devices were silently used to sniff passing corporate traffic, harvest additional downstream credentials, and build highly-detailed maps of internal Active Directory environments.
Firewalls and VPN gateways are the gatekeepers of corporate perimeters. When an attacker logs in with valid, high-level administrative credentials, standard internal behavioral alerts rarely trigger. The attackers essentially became the "insider," using legitimate network commands to exfiltrate documents—such as classified technical blueprints stolen from a targeted NATO defense contractor—while leaving no obvious footprint of an external exploit.
In their PSIRT review of the credential compromise dataset, Fortinet clarified that the campaign does not stem from a newly-discovered zero-day software exploit. Instead, the incident represents a massive execution of credential abuse amplified by exposed management interfaces and stale cryptographic structures left behind during device iterations. Fortinet emphasizes that patching the OS code alone is insufficient if the underlying legacy administrative credentials are not dynamically forced to re-encrypt.
If your organization utilizes internet-facing Fortinet infrastructure, treating this incident as a simple "patch event" leaves you exposed. Security teams should execute the following hardening playbook immediately:
Execute a comprehensive password rotation: Force an immediate reset of all local administrator accounts, user profiles, and SSL VPN credentials across the entire fleet.
Purge legacy hashes: Upgrading to a fixed FortiOS version (such as 7.2.11, 7.4.8, or 7.6.1) must be paired with an active administrative login to migrate the credential base. Furthermore, explicitly enable the configuration setting login-lockout-upon-downgrade (or login-lockout-upon-weaker-encryption on 7.6.x) to block backward-compatible legacy hash exploitation.
Shield the management interface: Completely remove management interfaces from the public-facing internet. Limit administrative access strictly to dedicated out-of-band networks or restricted internal IP zones.
Enforce MFA everywhere: Mandate multi-factor authentication with number matching for all administrative and remote access pathways. MFA remains the single most effective control to neutralize stolen plaintext credentials.
Initiate downstream threat hunting: Because the offline cracking methodology means your local firewalls won't show historical brute-force logs, do not assume a clean log equals safety. Audit internal networks for unexpected lateral movement, unauthorized Active Directory modifications, or unusual outbound traffic originating directly from your edge devices.
SOCRadar said in a blog: "The FortiBleed operation is built around full automation. The operation runs in two self-reinforcing stages. Stage one is credential reuse: attackers assembled usernames and passwords from earlier Fortinet-related breach dumps and infostealer malware logs, then tested them automatically against internet-facing FortiGate devices around the clock. Stage two is passive harvesting: once inside a device, it is used as a listening post—SSL VPN traffic passing through is monitored and additional credentials are collected. Those credentials feed back into the scanner, compounding the breach. The system is entirely self-sustaining."
CloudSEK concluded in its executive summary: "The exposed directory leaves no doubt that FortiBleed is a real and capable operation. The toolchain works end to end: scanning located exposed FortiGate interfaces, hashes were cracked on a ~45-GPU Hashtopolis cluster, and validated credentials were used to pivot into networks and enumerate Active Directory all feeding a revenue-sorted catalogue built to sell access. Any organization running an exposed FortiOS management interface should treat its perimeter credentials as compromised and act on the mitigations above."