Skip to content

FortiBleed: Large-Scale Credential-Harvesting Campaign Against FortiGate Firewalls

At a glance: Russian-speaking initial-access brokers have attacked at least 430,000 FortiGate firewalls with FortiBleed and harvested login credentials to gain access to corporate networks.

A credential-harvesting campaign called FortiBleed, operated by Russian-speaking actors, has targeted over 430,000 FortiGate firewalls worldwide since February 2026. The attackers use brute-force attacks and access-broker infrastructure to establish initial access.

Security researchers attribute FortiBleed to a financially motivated group of Russian-speaking initial-access brokers. The campaign has been running since February 2026 and combines multiple attack vectors: the actors first collect credential lists, identify exposed services, and conduct brute-force attacks against accessible systems. Specialized tools are then deployed to establish access.

The scope of targets is substantial: over 430,000 FortiGate firewall instances have been attacked, distributed across numerous countries and industries. FortiGate systems often serve as critical network perimeter protection, which means access loss has direct impacts on network segmentation.

For CISOs, FortiBleed represents an immediate risk to the network perimeter: initial-access brokers use stolen or guessed credentials strategically to create footholds that are subsequently sold to other threat actors or used directly for data exfiltration. The absence of multi-factor authentication on administrative interfaces significantly increases the success rate of such attacks.

Priority measures should include reviewing FortiGate administrative interfaces for unauthorized access, enforcing strong passwords, and enabling multi-factor authentication. NetFlow and log analysis can also reveal signs of lateral movement following successful compromise of the perimeter system.


Source: thehackernews.com · Published June 23, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: