Major Security Event: Fortinet VPN Credentials and Configuration Data Exposed for 73,000 Devices
A large-scale credential compromise campaign known as FortiBleed has exposed verified administrator credentials for more than 73,000 internet-facing Fortinet FortiGate firewalls. As of mid-June 2026, the dataset is reportedly circulating within criminal underground communities. Researchers estimate that approximately 50% of all internet-reachable FortiGate devices may be affected across 194 countries, making this one of the most significant Fortinet security incidents to date.
According to public reporting, the leaked data includes VPN credentials and firewall configuration information from Fortinet and FortiGate deployments worldwide. The exposed information could enable threat actors to gain unauthorized access to affected environments, abuse legitimate credentials, and gather intelligence on internal network architectures to support follow-on attacks.
At this time, the incident does not appear to be associated with a newly disclosed vulnerability. Instead, researchers believe the dataset may have originated from historical compromises of Fortinet devices, potentially involving previously exploited vulnerabilities. Regardless of the original source, organizations should treat any potentially exposed credentials as compromised and take immediate steps to assess risk and remediate affected accounts.
According to Bitsight Threat Intelligence
Bitsight researchers have confirmed active exploitation tied to the FortiBleed campaign, including at least one threat actor on a Russian cybercrime forum selling content related to the threat. Bitsight Threat Intelligence (CTI) has also identified post-exploitation tooling associated with the related CVE activity, including the tunneling tools Chisel and Neo-reGeorg. Both tools have been previously observed in state-sponsored campaigns targeting Fortinet perimeter devices, including the Volt Typhoon campaign. Their continued appearance in threat actor toolkits tied to exploitation suggests the compromised credential pool is being used for both opportunistic access and targeted intrusion operations.
The campaign exploits a fundamental flaw in FortiOS credential management: when devices are upgraded from older versions, administrator passwords remain stored as weak SHA-256 hashes until the administrator manually logs in after the upgrade. Attackers leveraged a 45-GPU offline cracking infrastructure to systematically break these hashes at scale, yielding validated working credentials for tens of thousands of devices.
Technical overview
Attribute | Details |
Incident Type | Credential Exposure / Data Leak |
Affected Component | Fortinet FortiGate Firewalls (FortiOS) and VPN Infrastructure
FortiOS prior to 7.2.11, 7.4.8, and 7.6.1 |
Exposed Information | VPN Credentials and Configuration Data |
Post-Exploitation Tools Observed | Chisel, Neo-reGeorg, EternalBlue |
Potential Impact | Unauthorized Access, Credential Abuse, Network Compromise |
Underground Activity | Active credential trading across Telegram, paste sites, and criminal forums |
Why this matters
FortiGate firewalls sit at the perimeter of enterprise networks. Compromising administrator credentials gives attackers control over an organization's entire network boundary: the ability to modify firewall rules, intercept VPN traffic, create backdoor accounts, disable logging, and stage ransomware deployment or data exfiltration.
The scale of FortiBleed, affecting roughly half of all internet-facing FortiGate devices, means organizations across every sector and geography face exposure right now, regardless of whether they were directly targeted. Credentials are leaking silently from devices that appear fully patched and operational, with no alert visible to defenders without active threat hunting.
The presence of state-associated tunneling tools (Chisel, Neo-reGeorg) in related exploitation activity signals that the credential pool is not being used exclusively by low-level criminals. Sophisticated, well-resourced threat actors are also drawing from the same dataset to pursue targeted intrusions.
Impact to organizations
Organizations running affected FortiGate devices face serious downstream risks, including:
- Unauthorized network access via compromised administrator or SSL VPN credentials
- Firewall rule manipulation enabling persistent attacker access and traffic interception
- Lateral movement into internal systems following initial perimeter compromise, facilitated by tunneling tools like Chisel and Neo-reGeorg
- Ransomware deployment, as FortiGate credential theft has been a documented precursor in prior campaigns
- Data exfiltration through attacker-controlled VPN tunnels or forwarding rules
- Regulatory and compliance exposure stemming from unauthorized access to sensitive systems
- Third-party and supply chain risk, as compromised perimeter devices can expose downstream vendors and partners
Recommendations
1. Rotate All Credentials
Reset administrator accounts, local user accounts, and SSL VPN credentials across FortiGate devices, regardless of whether compromise has been confirmed. Organizations should assume that exposed credentials may be accessible to threat actors and treat potentially affected accounts as compromised.
2. Patch to a Fixed FortiOS Version
Upgrade affected devices to FortiOS 7.2.11, 7.4.8, 7.6.1, or later. Patching alone may not eliminate legacy SHA-256 password hashes. Administrators should log in after upgrading to trigger migration to PBKDF2-based password hashing.
3. Force Hash Re-Authentication
On FortiOS 7.2.x and 7.4.x, enable the relevant password-policy setting to eliminate SHA-256 backward compatibility and enforce stronger password hashing for administrator accounts.
For FortiOS 7.6.x, use: login-lockout-upon-weaker-encryption
For FortiOS 7.2.x and 7.4.x, Fortinet documentation refers to the equivalent setting as: login-lockout-upon-downgrade
4. Restrict Management Interface Access
Block external access to FortiGate management interfaces immediately. Limit access to trusted internal IP addresses, VPN-only administration paths, or an out-of-band management network. SSL VPN portals should only remain publicly accessible when there is a clear business requirement.
5. Enforce Multi-Factor Authentication
Enable MFA for all administrative and remote access accounts. MFA is one of the most effective controls against credential-based attacks, particularly when passwords may have been exposed.
6. Hunt for Indicators of Compromise
Review logs for signs of unauthorized access or post-compromise activity, including:
- Unexpected administrator logins
- Newly created accounts
- Altered firewall rules
- Disabled logging
- SSL VPN sessions outside normal business hours
- Access from unusual geographies or unfamiliar IP addresses
- Activity associated with Chisel or Neo-reGeorg tunneling
Use Bitsight Vulnerability Detection to identify exposure to CVE-2022-40684, CVE-2023-27997, and CVE-2024-55591.
Threat landscape & context
FortiBleed follows a well-established pattern of threat actors systematically targeting network perimeter devices. The same pattern appeared with CVE-2023-27997 (XORtigate), the Volt Typhoon campaign, and the 2020 mass exploitation of CVE-2018-13379, which leaked VPN credentials for approximately 50,000 Fortinet devices. Each of those incidents demonstrated that FortiGate appliances are high-value targets precisely because they sit at the boundary between the internet and internal networks.
The operational sophistication behind FortiBleed, including dedicated GPU cracking infrastructure, credential datasets organized by sector and revenue, broad geographic coverage, and the observed use of state-associated post-exploitation tooling, points to a multi-tier threat landscape. Low-level criminal actors are monetizing access opportunistically, while more sophisticated actors appear to be leveraging the same credential pool for targeted espionage and intrusion campaigns.
Bitsight CTI is actively monitoring underground chatter across Telegram, criminal forums, and paste sites. The volume and velocity of FortiBleed-related activity indicates this campaign is ongoing and the credential dataset will continue to be weaponized in follow-on attacks.
How Bitsight CTI and TPRM support you
- Threat Monitoring: Track active exploitation tied to FortiBleed, related Fortinet CVEs, and threat actor tooling as activity emerges across underground sources.
- Campaign Correlation: Connect this incident to broader Fortinet exploitation trends and related intrusion campaigns to better understand attacker behavior and likely next steps.
- External Exposure Detection: Identify internet-facing assets running affected FortiOS versions and detect exposed systems that may be vulnerable to credential abuse or follow-on attacks.
- Third-Party Risk Management: Evaluate vendor and supply chain exposure to affected Fortinet technologies, prioritize third-party risk based on threat and business context, and accelerate remediation efforts.
Conclusion
FortiBleed shows how quickly exposed perimeter infrastructure can become a broader business and supply chain risk. With validated Fortinet credentials circulating in underground communities and evidence of ongoing exploitation activity, organizations should treat this incident as an urgent priority.
Immediate action should focus on credential rotation, patching, access restrictions, MFA enforcement, and threat hunting, alongside an assessment of third-party exposure across the vendor ecosystem. Continued monitoring is essential as threat actors continue to operationalize this dataset.
To learn more about this incident or speak with a Bitsight CTI expert, contact us today.
