U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to Fortinet customers following the discovery of a large scale cyber campaign known as FortiBleed, which has affected tens of thousands of internet accessible FortiGate devices worldwide. Security researchers estimate that 86,644 devices had been compromised as of June 19, 2026, making it one of the most significant credential based attacks targeting network security infrastructure in recent years. The campaign is believed to be linked to Russian speaking threat actors who systematically targeted Fortinet remote access systems using a combination of credential stuffing, password spraying, and automated attack techniques. The incident has drawn attention from cybersecurity agencies and threat intelligence firms due to its scale and the strategic importance of the affected systems, many of which serve as critical entry points to enterprise networks.
Research conducted by SOCRadar indicates that compromised credentials were largely tied to generic administrator accounts and built in Fortinet system accounts, which together accounted for more than sixty percent of identified exposures. Organization specific accounts represented the remaining compromised credentials, suggesting that attackers were not only relying on factory default accounts but also successfully accessing accounts created by organizations themselves. According to researchers, the findings highlight widespread issues related to password hygiene, credential reuse, and the failure to rotate or replace default credentials. The campaign reportedly involved mass scanning of internet facing Fortinet login portals, after which attackers used a specialized automated tool to test known username and password combinations against identified targets. Once access was obtained, the attackers monitored network traffic passing through compromised devices and harvested additional credentials that could be used to expand their access to other systems. Security experts noted that each credential was verified before being added to a database of confirmed working logins, creating a growing repository of valid access credentials that could be leveraged for further attacks.
The impact of the campaign spans multiple sectors and geographic regions. Telecommunications, government organizations, and educational institutions have emerged as the most affected sectors, while India, the United States, Mexico, Colombia, and Thailand recorded some of the highest numbers of exposed systems. Hudson Rock researchers stated that the attackers appear to have assembled a verified database containing legitimate credentials associated with major enterprises around the world. The United Kingdom’s National Cyber Security Centre has also described FortiBleed as a global campaign targeting internet facing Fortinet firewalls and VPN gateways through brute force attacks, dictionary attacks, and credential stuffing techniques. Researchers suspect the operation may have taken advantage of older credential storage methods used within FortiGate systems. Arctic Wolf noted that Fortinet introduced stronger Password Based Key Derivation Function 2, commonly known as PBKDF2, password hashing for administrator credentials in newer versions of FortiOS. However, organizations that upgraded from older versions may still have administrator credentials stored using legacy SHA 256 based hashing until those credentials are updated following a successful login.
Fortinet has stated that the exposed data likely represents a combination of previously leaked information and successful credential brute forcing rather than a newly identified product vulnerability. The company emphasized the importance of security best practices, including regular credential rotation and the use of multi factor authentication. CISA has advised organizations to terminate active VPN and administrative sessions, reset passwords associated with internet facing systems, ensure administrator credentials are protected using PBKDF2 hashing, review authentication and firewall logs for suspicious activity, and deploy phishing resistant multi factor authentication across administrative interfaces. The campaign first came to public attention after security researcher Volodymyr Diachenko discovered a server containing a database of working login credentials associated with thousands of firewalls and VPN gateways spanning 194 countries. Researchers also found infrastructure hosting the attackers’ automation tools and scripts. The incident serves as another example of how weak credential management practices and password reuse can create significant risks for organizations, particularly when perimeter security devices are targeted as a gateway into broader enterprise environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
