A massive, automated credential theft and network infiltration campaign dubbed “FortiBleed” has silently compromised verified login details for approximately 75,000 Fortinet FortiGate firewalls globally.
The unprecedented operation, uncovered after security researcher Volodymyr “Bob” Diachenko discovered an exposed threat actor command-and-control server, affects an estimated 50 percent of all internet-facing Fortinet devices tracked worldwide.
Independent analysis by threat intelligence firm Hudson Rock and cybersecurity expert Kevin Beaumont has confirmed the authenticity of the active dataset. The breach exposes thousands of major enterprises, critical infrastructure providers, and government networks to immediate perimeter exploitation and deeper lateral movement.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
An Industrial-Scale Credential Machine
The investigation into the threat actor’s infrastructure revealed a highly systematic, multi-layered approach to compromising edge security devices. Rather than exploiting a singular zero-day software vulnerability, the Russian-speaking cybercriminal group deployed an industrial-scale operation combining automated internet scanning with high-velocity credential stuffing and offline hash cracking.
The operators targeted 73,932 unique firewall URLs and 21,632 corporate domains, launching an astounding 1.16 billion credential validation attempts against over 320,000 FortiGate targets. In parallel, the syndicate conducted a broad 2.1 billion brute-force blitz against more than 163,000 Microsoft SQL Server instances, indicating a larger strategy to secure initial network access nodes.
The regional impact data tracks metrics across 194 nations globally, showing the highest exposure volumes concentrated heavily in India with 9,629 compromised perimeters, followed by the United States with 6,352, and Taiwan with 3,637 targeted configurations. The operational focus remained locked on Port 443, which serves as the default entry pathway for both SSL VPN setups and administrative web portals worldwide.
For devices where simple password reuse failed, the threat actors systematically intercepted SSL VPN authentication handshakes and configuration files, pulling them back to a dedicated, high-performance 45-GPU cracking cluster managed via the open-source Hashtopolis framework.
Once administrative or VPN passwords were recovered in plaintext, they were recorded in an organized internal log cataloged by company name, geographic location, and corporate revenue—a hallmark formatting structure utilized by Initial Access Brokers (IABs) packaging network footholds for dark web marketplaces.
The Illusion of Password Complexity
A particularly alarming finding emerging from the forensic review is that long, complex passwords exceeding 25 characters offered zero protection. Because the threat actors focused on extracting stored credential data material directly from configuration exports and pre-existing information-stealer logs, complexity parameters were completely bypassed.
The campaign heavily capitalized on a specific technical legacy window in FortiGate’s firmware ecosystem. Although Fortinet introduced hardened PBKDF2-based password storage algorithms in early 2025 to replace vulnerable legacy hashing methods, the cryptographic upgrade only converts stored credentials if an administrator actively logs back into the device after applying the patch.
Consequently, tens of thousands of firewalls that were fully updated on paper continued storing their administrative credentials in the weaker SHA-256 with Salt format, making them highly vulnerable to rapid offline brute-forcing once configuration files were exfiltrated.
Confirmed AD Pivoting and Defense Compromise
The FortiBleed campaign extended far beyond simple boundary scanning. The threat actors actively weaponized the verified credentials to log directly into exposed web management interfaces, establish permanent backdoor accounts, and alter corporate firewall security configurations. From these boundary positions, the group moved laterally into victims’ internal environments, targeting Active Directory (AD) infrastructure to claim total Windows domain control.
The investigation confirmed deep network compromises across multiple countries, including Japan, Taiwan, Vietnam, Iraq, and Turkey. In the most severe case validated by investigators, the group successfully breached a Turkish defense contractor affiliated with NATO, exfiltrating highly classified defense infrastructure documents. The broader victim pool spans every sector of the global economy, with verified credentials belonging to industrial giants such as Foxconn, Samsung, Comcast, Siemens, Lenovo, Accenture, and Oracle.
Fortinet has issued statements clarifying that the exposed dataset appears to be a consolidation of historical leaks, credential harvesting loops, and brute-force cycles rather than an active exploit of a new software flaw. Cybersecurity units strongly urge all organizations running Fortinet perimeters to assume compromise if their management interfaces are publicly exposed, advising immediate password rotations for all VPN and administrative profiles, enforcement of mandatory multi-factor authentication (MFA), and deep log audits for hidden backdoor accounts.
