Attackers have verified working credentials for over 86,000 Fortinet FortiGate firewalls across 194 countries. CISA, the UK NCSC, and Fortinet have all issued emergency guidance. Here is what to do right now.
If your business runs a Fortinet FortiGate firewall or SSL VPN, rotate your credentials before you do anything else. Then come back and read this.
A large-scale, industrialized credential-theft campaign called FortiBleed has rocked the network security world. Attackers, believed to be Russian-speaking, have assembled a verified database of working administrator and VPN logins for tens of thousands of Fortinet devices worldwide. By June 19, 2026, the confirmed tally stood at more than 86,000 compromised devices across 194 countries. CISA, the UK National Cyber Security Centre, and Fortinet's own security team all issued emergency guidance within days of each other. This is not theoretical exposure. The passwords work. The devices are online. The attackers have the keys.
What Happened
FortiBleed surfaced publicly on June 13, 2026, when security researcher Volodymyr "Bob" Diachenko discovered an exposed threat actor server hosting a growing database of validated credentials alongside automated attack tooling.
Threat actors had been systematically extracting configuration files from internet-facing FortiGate devices and cracking the stored credential hashes, producing verified working administrator credentials for between 30,000 and 75,000 devices. The numbers kept climbing as more firms validated the data. By June 19, the confirmed figure reached 86,644 systems, making FortiBleed one of the most significant credential-based attacks targeting network security appliances in recent years.
Researchers at Hudson Rock and Kevin Beaumont estimate the number of distinct affected devices at approximately 75,000, roughly 50% of all internet-facing Fortinet firewalls indexed by Shodan at the time of disclosure.
The dataset is not a loose list of guessed passwords. SOCRadar's research identified operational infrastructure belonging to the threat group, including databases of validated credentials organized by country, sector, and organization revenue. Attackers have already sorted the target list and are ready to sell or act on it.
How the Attackers Did It
According to independent analyses by SOCRadar, Hudson Rock, and security researcher Kevin Beaumont, the threat actors collected configuration files from internet-facing FortiGate firewalls and used them to recover working administrator credentials through offline cracking. That last detail is critical: your firewall did not alert. Your SIEM did not fire. The attack happened quietly, against data already extracted from the device.
Fortinet introduced stronger password protection through the Password-Based Key Derivation Function 2 (PBKDF2) algorithm in FortiOS versions 7.2.11, 7.4.8, and 7.6.1. However, organizations that upgraded from older versions may still have administrator passwords stored using the legacy SHA-256 hashing method. SHA-256 hashes are fast to crack with modern GPU clusters. PBKDF2 is deliberately slow and far more resistant. If you upgraded FortiOS but did not have every administrator log back in afterward, the weaker hash may still be sitting in storage.
Once attackers gained access to FortiGate devices, they used packet sniffing to intercept network traffic, harvesting NTLM and Kerberos hashes for users across the entire environment. That is the real blast radius: a cracked firewall password becomes a gateway to your entire Active Directory.
Who Is Behind It
Security researchers attribute the operation to Russian-speaking threat actors exploiting weak passwords, reused credentials, and outdated security practices. The attackers executed roughly 1.16 billion credential attempts targeting more than 320,000 FortiGate devices, as well as 2.1 billion brute-force attempts against over 160,000 MSSQL servers.
Attribution to a Russian-speaking threat group, combined with confirmed targeting of a NATO defense contractor, raises the likelihood of espionage objectives alongside opportunistic access. This is not purely a financially motivated criminal crew. Nation-state overlap makes the downstream consequences harder to predict and more dangerous.
The Default Credentials Problem
The breakdown of compromised account types tells its own story. According to SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials, with organization-specific accounts accounting for the remaining 36.7%.
More than six out of ten compromised accounts were either a default or a built-in system account. This is not a sophisticated zero-day problem. It is a basic hygiene failure at enormous scale.
What CISA, UK NCSC, and Fortinet Are Telling You to Do
CISA issued an emergency advisory on June 18, 2026. The UK NCSC published a global warning. Fortinet's Product Security Incident Response Team issued a formal blog post. All three landed within a six-day window.
The collective guidance covers the following actions:
- Terminate all active SSL VPN and administrative sessions on every FortiGate appliance immediately.
- Reset every FortiGate admin and VPN user password using long, unique credentials. No exceptions for service accounts or legacy setups.
- Force all administrators to log in fresh after a FortiOS upgrade so PBKDF2 hashing replaces any stored SHA-256 hashes. Use the super_admin account to manually update any accounts that cannot log in interactively.
- Upgrade to a current FortiOS branch (7.2.11, 7.4.8, 7.6.1, or 8.0+) to ensure PBKDF2 is the active hashing method.
- Enable phishing-resistant MFA on all administrative and VPN access.
- Block public internet access to management interfaces. Your firewall admin panel should never be reachable from the open internet.
- Rename or disable all default and built-in accounts. The data shows attackers targeted these first.
- Check the Hudson Rock and SOCRadar FortiBleed lookup tools to see if your devices appear in the compromised dataset.
- Review FortiGate logs for unusual logins, new admin account creation, configuration exports, and lateral movement.
- Rotate all Active Directory credentials if any user traffic passed through a potentially compromised FortiGate device.
Do not wait for confirmation of a novel zero-day before acting. The known attack surface is already sufficient to justify immediate response.
How 247techify Can Help
At 247techify, we work directly with businesses to audit firewall configurations, enforce credential hygiene, and implement MFA across network perimeter devices, including Fortinet environments. If you are unsure whether your FortiGate estate is exposed, or you need help working through the CISA remediation checklist, our team is ready to help you move fast and get it right. Reach out to us at https://www.247techify.com/.
