FortiBleed Credential Attack Targets Fortinet Firewalls


FortiBleed Credential Harvesting Attack Targets Fortinet Firewalls

A large scale credential harvesting campaign known as FortiBleed has exposed Fortinet firewall and SSL VPN credentials across thousands of organizations worldwide.

The campaign targets Fortinet FortiGate firewalls and VPN gateways, which are commonly used to protect enterprise networks, manage remote access, and control traffic between trusted and untrusted environments.

For defenders, this is a major perimeter security warning.

Firewalls and VPN gateways are not just network appliances. They are trust gateways into corporate infrastructure.

If attackers obtain valid credentials for these systems, they may not need to exploit a new vulnerability. They can attempt to log in through legitimate access paths, establish VPN sessions, modify firewall settings, create persistence, or move deeper into internal networks.

FortiBleed shows how exposed perimeter devices, credential theft, weak authentication, reused passwords, and delayed rotation can combine into a serious enterprise compromise path.

What Happened:

Security researchers reported a large credential harvesting campaign targeting internet accessible Fortinet devices.

The campaign has been referred to as FortiBleed.

CISA warned that malicious cyber actors have targeted Fortinet devices across government and private sector organizations using compromised credentials.

The exposed credential data is associated with approximately 74,000 Fortinet devices, including firewalls and SSL VPN gateways.

Earlier reporting described credential exposure affecting tens of thousands of Fortinet firewall URLs across many countries.

Newer SOCRadar research reported that the FortiBleed operation used custom sniffers on compromised FortiGate devices to harvest authentication secrets.

The campaign reportedly targeted hundreds of thousands of FortiGate firewalls and has been active since at least February 2026.

Fortinet stated that its analysis suggests the data is likely a resharing of data from previous incidents and brute forcing of credentials, rather than a new Fortinet breach or a current product advisory.

Even so, the operational risk remains urgent for any organization with exposed Fortinet credentials.

Why This Issue Is Critical:

This issue is critical because Fortinet firewalls and VPN gateways often sit at the edge of enterprise networks.

They protect remote access.

They enforce network policy.

They may connect branch offices, cloud environments, administrators, third parties, and employees.

If attackers obtain valid FortiGate administrative or SSL VPN credentials, they may gain a direct route into the organization.

This is especially dangerous because credential based access can look legitimate.

An attacker using valid credentials may not trigger the same alerts as a failed exploit attempt.

Once inside, attackers may perform reconnaissance, access internal systems, steal credentials, modify firewall configuration, create new accounts, disable controls, or prepare ransomware deployment.

Perimeter credential compromise should be treated as a potential network intrusion, not only a password issue.

How FortiBleed Credential Harvesting Works:

The FortiBleed campaign appears to involve several credential harvesting methods.

Researchers have described brute force activity against exposed Fortinet interfaces.

Other reporting described the use of stolen or previously exposed credentials.

SOCRadar also reported that attackers used custom FortiGate sniffers on compromised devices to harvest authentication secrets.

This means the campaign may involve both credential reuse and active collection from compromised infrastructure.

In practical terms, attackers are trying to collect working access to Fortinet VPN and firewall environments at scale.

Once working credentials are confirmed, they can be used directly, sold, traded, or included in enriched databases for future targeting.

That makes FortiBleed dangerous even for organizations that do not see immediate suspicious activity.

A credential stolen today can be used later if it is not rotated or revoked.

How the Attack Chain Could Work:

A realistic attack path may begin with attackers scanning the internet for Fortinet FortiGate firewalls and SSL VPN gateways.

The attackers attempt credential based access through brute forcing, password reuse, leaked credential testing, or previously stolen secrets.

If a device is compromised, custom sniffing tools may be deployed to capture authentication material.

Working credentials are stored in a database for later use.

The attacker authenticates to the firewall or SSL VPN gateway.

The attacker establishes remote access or reviews administrative settings.

Internal network reconnaissance begins.

The attacker may attempt to access Active Directory, internal applications, file shares, cloud connectors, or management systems.

Persistence may be created through new accounts, configuration changes, VPN access rules, or hidden administrative access.

The attacker may then stage data theft, lateral movement, ransomware, or long term espionage.

This attack chain shows why edge device credentials require immediate action when exposure is suspected.

Why This Incident Matters for Cybersecurity:

This incident reinforces a major cybersecurity reality.

Attackers do not always need a new zero day to compromise enterprise networks.

Valid credentials are often enough.

FortiBleed demonstrates how perimeter access can be weakened when internet facing devices rely on passwords that are reused, stale, exposed, weak, or harvested from prior incidents.

It also shows the danger of compromised edge infrastructure.

A firewall or VPN gateway can become a credential collection point if attackers gain enough control to monitor authentication flows.

Organizations often focus on patching edge devices, which remains essential.

However, patching alone does not remove the risk if valid credentials are already exposed.

Credential rotation, session termination, MFA enforcement, log review, and compromise hunting are all necessary.

Common Risks Highlighted:

This FortiBleed campaign highlights several common enterprise weaknesses.

Many organizations expose VPN and firewall interfaces directly to the internet.

Administrative interfaces may be reachable from too many locations.

SSL VPN access may rely heavily on passwords.

Multi factor authentication may not be enforced for all users.

Old accounts may remain active.

Service accounts may use long lived credentials.

Credential rotation may be infrequent.

Logs may not be reviewed for suspicious VPN activity.

Firewall configuration changes may not trigger alerts.

Organizations may not know whether their Fortinet credentials have appeared in leaked datasets.

These weaknesses can allow stolen credentials to become successful access.

Potential Impact:

The potential impact of FortiBleed can be severe.

Attackers may gain VPN access.

Firewall administrative accounts may be compromised.

Internal systems may become reachable.

Active Directory environments may be targeted.

Sensitive data may be accessed.

Firewall rules may be modified.

Backdoor accounts may be created.

Security controls may be weakened.

Credentials may be harvested from additional systems.

Lateral movement may follow.

Ransomware deployment may become easier.

The final impact depends on what the compromised Fortinet account can access, how the VPN is segmented, and whether attackers can move from the edge into internal systems.

What Organisations Should Do Now:

Organizations using Fortinet FortiGate firewalls or SSL VPN gateways should act immediately.

Terminate all active SSL VPN and administrative sessions.

Reset credentials for Fortinet VPN users and administrative accounts.

Rotate service account credentials associated with Fortinet devices.

Enforce multi factor authentication for SSL VPN and administrative access.

Disable unused accounts.

Review all local and directory based accounts with Fortinet access.

Restrict administrative interfaces to trusted management networks.

Review firewall and VPN logs for unusual access.

Check for successful logins from unfamiliar IP addresses.

Review configuration changes and new accounts.

Update FortiOS and related Fortinet software to supported versions.

Hunt for signs of compromise on exposed devices.

Because the campaign involves credential exposure, password changes alone may not be enough if attackers already established persistence.

Fortinet Hardening Actions to Prioritize:

Organizations should strengthen Fortinet edge security beyond immediate credential rotation.

Limit SSL VPN exposure where possible.

Use trusted host restrictions for administrators.

Disable unnecessary management services.

Require phishing resistant multi factor authentication for privileged access.

Review firewall policies for excessive internal access from VPN pools.

Segment VPN users by role and business need.

Monitor changes to administrators, policies, routes, and VPN settings.

Export and securely preserve device logs.

Review firmware versions and apply vendor guidance.

Audit third party and vendor VPN accounts.

Remove stale accounts immediately.

Fortinet devices should be treated as critical security infrastructure.

They must be patched, monitored, and governed like high value systems.

Detection and Monitoring Strategies:

Security teams should increase monitoring around Fortinet access and configuration activity.

Monitor SSL VPN logins from unusual countries or networks.

Review failed and successful authentication spikes.

Alert on logins using generic admin accounts.

Monitor administrative access outside normal windows.

Detect new local users or privilege changes.

Review changes to firewall rules and VPN portals.

Monitor configuration exports.

Watch for suspicious processes or files on compromised devices where visibility allows.

Correlate Fortinet VPN logins with internal network activity.

Review Active Directory activity after suspicious VPN sessions.

Monitor lateral movement from VPN address pools.

Detection should focus on both edge access and post login behavior.

A stolen credential may look normal until the user starts accessing unusual internal systems.

The Role of Incident Response Planning:

Incident response teams should treat suspected Fortinet credential exposure as a potential perimeter compromise.

If exposed credentials are discovered, responders should terminate active sessions, rotate credentials, revoke tokens where applicable, and review recent access logs.

They should identify which accounts were affected.

They should determine whether those accounts successfully authenticated.

They should review what internal systems were accessed after those logins.

They should check for new users, configuration changes, firewall policy changes, VPN rule changes, and suspicious administrative activity.

If attackers accessed internal systems, the investigation should expand into identity logs, endpoint telemetry, network traffic, and Active Directory activity.

Perimeter compromise often becomes identity compromise.

The response should not stop at the firewall.

Penetration Testing Insight:

From a penetration testing perspective, FortiBleed shows why external perimeter assessments must include credential exposure and VPN abuse scenarios.

A strong assessment should evaluate whether Fortinet VPN access is protected by MFA, whether passwords are reused, whether administrative interfaces are exposed, and whether VPN users can reach sensitive internal systems.

Testing should review segmentation from VPN address pools.

It should assess whether suspicious VPN activity is detected quickly.

It should determine whether compromised VPN access can lead to Active Directory exposure, internal application access, or privileged escalation.

Modern penetration testing should answer a practical question.

If an attacker logs in with valid Fortinet credentials, what can they reach, and how quickly would the organization know?

Expert Insight:

James Knight, Senior Principal at Digital Warfare, said:

“FortiBleed is a reminder that edge devices are not only patching priorities. They are credential risk points. If attackers obtain valid VPN or firewall credentials, they can move through legitimate access paths, which means organizations need MFA, session control, segmentation, and strong monitoring around every perimeter login.”

What Security Leaders Should Prioritize:

Security leaders should treat FortiBleed as a perimeter credential emergency.

The immediate priority is credential rotation, session termination, and MFA enforcement.

The broader priority is validating whether stolen credentials were used before remediation.

Leaders should ask clear questions.

Which Fortinet devices are internet accessible?

Which accounts can access SSL VPN or administration?

Are all active sessions terminated?

Have all relevant credentials been rotated?

Is MFA enforced for every Fortinet access path?

Can we detect suspicious VPN logins?

Can VPN users reach sensitive internal systems?

Were any configuration changes made unexpectedly?

If teams cannot answer these questions quickly, the organization has a perimeter credential visibility gap.

Call to Action:

Organizations using Fortinet firewalls and SSL VPN gateways should not treat FortiBleed as a routine password reset issue.

Terminate sessions, rotate credentials, enforce MFA, restrict management access, review logs, hunt for compromise, and confirm that stolen Fortinet credentials cannot become a route into internal systems.

Comments

Post a Comment

Popular posts from this blog

Signed, Trusted, Exploited: Inside the ScreenConnect Breach Playbook

Signed, Trusted, Exploited: Inside the ScreenConnect Breach Playbook A trusted remote access tool turned Trojan: today’s news reveals how attackers have hijacked ScreenConnect (now ConnectWise Control), weaponizing its legitimacy to bypass defenses and sustain access. As an independent blogger and penetration tester , this twist-from trusted utility to clandestine threat vector-highlights an urgent shift: defenders must now regard established tools as potential weapons, and our penetration testing methodologies must evolve accordingly. Attack Vector: Weaponized RMM Software Threat actors are misusing ScreenConnect installers-often digitally signed and trusted-to establish persistent access, using methods like Authenticode stuffing to embed malicious configuration while preserving legitimate signatures. Technical Abuse: CHAINVERB Downloader In several campaigns, the CHAINVERB backdoor leverages signed ScreenConnect binaries. It hides C2 instructions inside certificate fields, en...
Read more

Breaking the Chain of Trust: The Hybrid Exchange Escalation Threat

Breaking the Chain of Trust: The Hybrid Exchange Escalation Threat It starts quietly an unnoticed foothold on an Exchange server, stolen admin credentials, and a trust link to the cloud turned into a weapon. From there, it’s a clean pivot into Exchange Online , data harvested, persistence set, and the intruder disappears into normal traffic. As a  part time  penetration tester and independent blogger , I see CVE-2025-53786 as more than a flaw it’s a blueprint for abusing identity and trust. This high-severity vulnerability in hybrid Exchange lets on-prem admins escalate to the cloud with limited log visibility . The August 2025 Security Updates patch it, but with 28,000+ servers still exposed, the window remains open. CISA’s Emergency Directive 25-02 demands immediate action from federal agencies. Everyone else should take the hint attackers certainly will. The Vulnerability in One Paragraph In classic hybrid deployments, on-prem Exchange and Exchange Online could share i...
Read more

The Quiet Epidemic: How Lumma Built a Global Infostealer Network

The Quiet Epidemic: How Lumma Built a Global Infostealer Network  The quietest breaches are the ones that bleed you dry . Lumma Stealer didn’t disrupt. It infiltrated leaving no ransom note, only stolen passwords and persistent access. In 2025, over 2,300 Lumma-controlled domains were taken down in a global operation. But Lumma’s infrastructure quickly reassembled. For red teams, it’s not the takedown that matters  it’s how fast the threat returned  As an independent blogger and part-time penetration tester , I see Lumma not just as a threat, but as a blueprint for real-world attack simulation . Its infection chain stealthy delivery, in-memory payloads, modular design is exactly what red teams should be studying . Infection Chain Anatomy: From Fake CAPTCHA to Memory-Only Payload Lumma’s infection begins with deceptive tactics: fake CAPTCHA lures or cloned websites prompt users to copy/paste PowerShell commands into Run prompts via mshta.exe, often hidden behind obfusca...
Read more