top of page

FortiBleed: Global Credential Breach Affects 73,932 Fortinet Firewalls Across 194 Countries

  • Jun 18
  • 4 min read

Key Findings


  • FortiBleed campaign exposed valid login credentials for 73,932 Fortinet firewall URLs across 194 countries, affecting 21,632 unique domains

  • Attackers conducted approximately 1.16 billion credential attempts against over 320,000 FortiGate targets using a self-feeding system

  • Compromised organizations include Samsung, Oracle, Foxconn, Comcast, Siemens, Lenovo, Spotify, Sony, and numerous government and critical infrastructure entities

  • The operation leverages previously stolen credentials from past breaches and infostealer logs rather than relying on brute force alone

  • Campaign appears orchestrated by Russian-speaking threat actors with possible geopolitical targeting, particularly toward NATO member states and defense contractors


Background


Researchers first identified the FortiBleed campaign after discovering an exposed attacker server containing verified working credentials, automation tools, and a comprehensive victim database. Unlike typical credential dumps, this operation represents an organized, ongoing effort by a multi-operator group systematizing access to internet-facing Fortinet devices. The campaign was identified by researcher Volodymyr Diachenko and further investigated by threat intelligence firms Hudson Rock and SOCRadar, both confirming the scale and sophistication of the operation.


Scale and Scope of Compromise


The attack footprint spans 194 countries with representation across virtually every industry vertical. India and the United States account for nearly a third of discovered entries. The dataset includes 21,108 unique IP addresses and 8,316 unique domains. Telecom infrastructure alone represents 5,616 entries, while government agencies account for 591 entries across 111 domains. Enterprises with over one billion dollars in revenue make up more than 20 percent of all recorded compromises. Port 443, the default for Fortinet SSL VPN services, received the highest volume of connection attempts, though attackers also targeted non-standard ports including 4443, 8443, and 10443.


How the Self-Feeding Attack Works


The FortiBleed operation employs a cyclical attack methodology designed to generate fresh credentials continuously. Attackers scan the internet for exposed Fortinet devices and test a curated password list against each target. When logins succeed, they become cataloged entries in a verified database. The compromised firewall then serves as a silent listening post, passively harvesting credentials from network traffic passing through it. These newly obtained passwords feed back into the automated scanner, creating a self-perpetuating machine that requires minimal ongoing intervention. This automation allowed attackers to conduct 2.1 billion brute-force attempts against over 160,000 MSSQL servers in parallel operations.


Credentials Come From Past Breaches, Not Simple Guessing


Many successful login attempts used complex passwords that were not cracked through brute force but rather sourced from previous breaches, infostealer malware infections, and recovered firewall data. This distinction is critical because password complexity provides no protection when attackers already possess the correct credentials. Generic admin accounts and factory default usernames dominated the verified login list, indicating widespread organizational failures to rename built-in system accounts upon deployment. The credentials originated from earlier Fortinet incidents that organizations apparently never rotated, leaving them vulnerable to reuse in new attacks.


Suspected Attribution and Motive


Evidence points toward Russian-speaking threat actors with access to sophisticated scanning and credential-testing infrastructure. Targeting patterns show heavy concentration on NATO member states and defense-related organizations. Recovered files from the attacker infrastructure included credentials for what appears to be a defense industry VPN endpoint. Researchers reported particularly deep compromises in Japan, Taiwan, Vietnam, Iraq, and Turkey, with unconfirmed allegations that classified defense documents were stolen from a Turkish NATO defense contractor. This combination of geopolitical targeting and financial motivation suggests both espionage and profit-driven objectives.


Why This Is Not Technically a Vulnerability


Fortinet confirmed that FortiBleed does not exploit a zero-day vulnerability or unpatched flaw in FortiOS. Instead, the campaign represents credential reuse and weak access control practices. The attacker dataset largely consists of credentials from previous incidents reshared and retested against new targets. This classification does not diminish the threat level but rather highlights that the danger stems from operational security failures and poor credential hygiene rather than software flaws requiring patches.


Immediate Actions Organizations Should Take


Affected or potentially affected organizations should treat the situation with urgency. Priority actions include immediately rotating all FortiGate administrator and VPN credentials, enforcing multi-factor authentication on all external access points, restricting management interfaces to trusted IP ranges only, conducting thorough reviews of gateway logs for suspicious login activity, removing unused accounts, and verifying that all FortiOS devices are fully patched with the latest firmware. Hudson Rock and SOCRadar have published free lookup portals allowing organizations to search whether their domains appear in the leaked dataset. Organizations discovering matches should assume their credentials are already in criminal hands and begin containment protocols immediately.


Broader Security Implications


The FortiBleed campaign demonstrates how compromised firewall access creates cascading security failures. Initial access to a perimeter device allows attackers to monitor VPN and gateway traffic, harvest additional credentials from that vantage point, and repurpose those credentials in subsequent attacks against other targets. Initial access brokers may now resell these verified login credentials to ransomware crews and other threat actors, potentially leading to secondary compromises. The operation underscores that organizations must treat network perimeters as potentially already compromised and implement defense-in-depth strategies that do not rely solely on firewall integrity.


Sources


  • https://hackread.com/fortibleed-attack-fortinet-firewalls-credentials/

  • https://securityonline.info/fortibleed-fortinet-breach/

  • https://www.facebook.com/HackRead/posts/-fortibleed-attack-exposes-fortinet-firewall-credentials-in-194-countries-with-r/1581734640618774

  • https://x.com/HackRead/status/2067285558137704669

  • https://www.linkedin.com/posts/thehackernews_update-fortibleed-looks-bigger-than-first-activity-7473059768438370304-cuXz

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page