Skip to content

FortiBleed: Attackers Weaponize Firewalls as Credential Harvesters

Key Point: Attackers deploy a Golang-based sniffer on 430,000 compromised FortiGate firewalls to harvest 110 million credentials, transforming critical security devices into reconnaissance instruments.

Attackers use a Golang-based sniffer to access 430,000 FortiGate firewalls and exfiltrate login credentials. An ongoing global campaign has already identified 110 million credentials.

In the FortiBleed campaign, attackers have deployed custom software written in Go (Golang) to intercept access credentials directly on firewall devices. The sniffer component was calibrated to infiltrate 430,000 FortiGate appliances and analyze network traffic flowing through these systems.

The harvested credentials comprise 110 million entries — evidence of the breadth and depth of the penetration. This undermines the classical security model: the firewall, intended as a trusted barrier, is repurposed as a data source for attackers, allowing them to surveil all connections passing through it.

For CISOs, this means firewalls can no longer be regarded as secure control points as long as they remain unpatched. The campaign also indicates that mass compromises point to advanced reverse engineering and specialized malware — a sign of organized, persistent threat actors. The necessity for continuous patch management and network segmentation is underscored by this development.


Source: www.darkreading.com · Published June 23, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.7.1.

Share on: