The Bottom Line: Attackers in the FortiBleed campaign deployed custom sniffers on FortiGate firewalls to extract login credentials from network traffic.
The FortiBleed campaign used purpose-built sniffers on compromised Fortinet FortiGate devices to capture authentication data directly from network traffic. Security firm SOCRadar has documented the methods behind this large-scale offensive.
The FortiBleed campaign targeted a broad base of Fortinet FortiGate firewalls. According to security firm SOCRadar, specially developed sniffer tools were installed on the compromised devices, which were capable of capturing authentication information directly from the network traffic passing through them.
The custom sniffers operated on the FortiGate systems themselves and could thus access all data the device processed. This enabled attackers to harvest credentials from users communicating through the firewall without requiring additional network monitoring infrastructure.
For CISOs, this attack vector represents a critical vulnerability: a compromised FortiGate device becomes a data collection point for all authentication signals passing through it. This means not only the firewall itself is affected, but potentially all systems and users connected behind it.
Source: www.bleepingcomputer.com · Published June 22, 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.