Bottom Line: Attackers exfiltrate FortiGate device configurations, crack SHA-256-hashed admin passwords offline, and gain administrative access without exploiting a new vulnerability.
Attackers leverage compromised credentials from previous security incidents and weak password hygiene to gain administrative access to FortiGate devices. Fortinet published an official statement on the “FortiBleed” attack wave on May 19, 2026.
The “FortiBleed” attack wave does not involve exploitation of a new security vulnerability. Rather, attackers use credentials obtained in previous incidents related to CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, as well as brute-force attacks against devices with weak password hygiene and lacking multi-factor authentication (MFA). Security researchers report a large number of affected devices worldwide.
The high success rate results from a hash function weakness: administrator passwords on FortiGate devices up to FortiOS 7.2.11, 7.4.8, and 7.6.1 are hashed using the weaker SHA-256 method. Critical is that these weak hashes persist even after updating to newer versions—as long as the administrator does not log in again. When attackers obtain configuration exports, they can compromise the password hashes contained therein offline using brute-force methods.
With valid, compromised credentials, attackers gain administrative access to affected devices. This is followed by creating additional administrator accounts for persistence, exporting device configuration, eavesdropping on VPN and authentication traffic, and preparing lateral movement into internal networks—such as connected Active Directory environments. At telecommunications providers and managed service providers, attackers can also penetrate customer networks through compromised devices.
Affected systems are FortiGate devices with administrator accounts whose passwords have not been converted to PBKDF2 since an update to FortiOS 7.2.11, 7.4.8, 7.6.1, or newer through re-authentication; devices with publicly reachable management interfaces or SSL VPN access without MFA; and devices potentially already compromised by the mentioned previous incidents.
Fortinet recommends the following immediate actions: terminate all active administrative and VPN sessions and reset all passwords; enable MFA for all administrator and VPN user accounts; update to FortiOS 7.4, 7.6, or 8.0 and after the update ensure all administrators log in at least once (so passwords are re-hashed to PBKDF2). On FortiOS 7.2.x and 7.4.x, the login-lockout-upon-weaker-encryption option can additionally be enabled in password policies. Finally, the configuration should be reviewed for unauthorized changes, ideally by comparison with a known unmodified reference configuration.
Source: www.cert.at · Published June 22, 2026
Lumi AI News — AI-assisted curation according to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.