May 26, 2026 - Swedish eTrade platform signs an agreement for vulnerability scanning. May 21, 2026 - Swedish software producer signs agreement for continuous pentesting. May 20, 2026 - Swedish CRM producer signs an agreement for continuous penetration testing. May 16, 2026 - eBuilder signs an agreement for SOC/MDR with a TechHub. May 11, 2026 - eBuilder signs an agreement for SOC/MDR and automated pentests with a company in the publishing business. May 8, 2026 - eBuilder signs a pentest agreement with a leading petrochemical producer. April 8, 2026 - eBuilder signs an agreement for MDR/SOC with a hotel business. March 13, 2026 - eBuilder signs an agreement for SOC-operations with a Swedish municipality. May 26, 2026 - Swedish eTrade platform signs an agreement for vulnerability scanning. May 21, 2026 - Swedish software producer signs agreement for continuous pentesting. May 20, 2026 - Swedish CRM producer signs an agreement for continuous penetration testing. May 16, 2026 - eBuilder signs an agreement for SOC/MDR with a TechHub. May 11, 2026 - eBuilder signs an agreement for SOC/MDR and automated pentests with a company in the publishing business. May 8, 2026 - eBuilder signs a pentest agreement with a leading petrochemical producer. April 8, 2026 - eBuilder signs an agreement for MDR/SOC with a hotel business. March 13, 2026 - eBuilder signs an agreement for SOC-operations with a Swedish municipality.
Company News
Threats & Attacks

FortiBleed Credential Campaign Hits 30,000 Fortinet Devices Worldwide

June 22, 2026 4 min read
FortiBleed Credential Campaign Hits 30 000 Fortinet Devices Worldwide

Attackers have harvested credentials from more than 30,000 Fortinet devices in a campaign now being tracked under the name FortiBleed. The operation used brute-force and credential-stuffing techniques against FortiGate firewalls and Fortinet VPN endpoints, exposing 73,932 unique FortiGate firewall URLs and affecting 21,632 corporate domains, according to Recorded Future’s analysis published in June 2026.

Reuters confirmed on 17 June 2026 that Fortinet has acknowledged the campaign, stating it is targeting its firewalls and VPN products. The goal is not to destroy systems but to gain authenticated access to internal networks, which makes the threat harder to detect and considerably more persistent than a ransomware deployment.

How the Campaign Works

There are no disclosed CVEs attached to FortiBleed. The attackers are not exploiting a software vulnerability. They are trying combinations of known credentials, default passwords and previously leaked username-password pairs against internet-facing Fortinet devices until something works. That is credential stuffing in its most industrialized form.

Kudelski Security’s research notes that the campaign overlaps with active exploitation of existing Fortinet vulnerabilities, suggesting at least some attackers have combined credential access with patched-but-unpatched flaws to deepen their foothold. Bitsight’s analysis identified the exposed firewall URLs by scanning for publicly reachable management interfaces which gives a reasonable picture of the attack surface even if the exact compromise count remains an estimate from the firms that discovered it.

Once inside, attackers have authenticated VPN access. That means they can move laterally across the target network behind legitimate credentials, bypassing most perimeter defences entirely.

On Attribution: Be Careful

The briefing material supplied to this article claims the scale and sophistication indicate involvement from both criminal and state-sponsored actors. That is not attribution. It is a guess dressed as analysis and it comes from sources with commercial incentives to characterize threats as maximally severe. No government agency, including CISA, NCSC or ENISA, has published attribution for FortiBleed at the time of writing. Treat the nation-state framing as unconfirmed until a Tier 1 source says otherwise.

What the numbers do confirm, without any attribution required, is that this is a high-volume, professionally organized operation. Credential-stuffing at the scale of 73,932 exposed firewall URLs does not happen without tooling, infrastructure and time.

The Quote Fortinet Should Not Have Issued

Fortinet’s statement that the campaign “touches nearly every sector of the global economy, sparing no industry” is the kind of language that belongs in a marketing deck, not a security advisory. It tells administrators nothing actionable and inflates the perception of severity beyond what the confirmed facts support. The confirmed facts are already serious enough. 30,000 compromised devices and 21,632 affected corporate domains is a significant incident by any measure. It does not need amplification.

Patch Status and Immediate Steps

Because FortiBleed relies on credential access rather than an unpatched vulnerability, patching alone will not close the exposure. The immediate priority is credential hygiene, not a software update.

Rotate all administrative credentials on FortiGate firewalls and Fortinet VPN endpoints now. Prioritise any account that has been in use for more than six months, any shared account and any account whose password matches credentials used on other systems. Assume that any internet-facing FortiGate management interface without MFA enabled has been targeted.

Enable multi-factor authentication on all Fortinet management and VPN access if it is not already in place. Check whether your management interface is reachable from the public internet. If it is, restrict access to known IP ranges via firewall rules or move management entirely off the internet-facing interface.

Review VPN authentication logs for the past 60 days. Look for successful logins from unfamiliar geographies, logins outside normal working hours or account activity that preceded a known-bad IP appearing in threat intelligence feeds. A successful credential-stuffing login will look identical to a legitimate one in the logs. The anomalies are in timing, geography and subsequent lateral movement, not in the authentication event itself.

CybelAngel and Recorded Future have both published indicators of compromise and exposed-URL lists tied to FortiBleed. If your organization has a threat intelligence subscription with either firm, pull those feeds and cross-reference against your own asset inventory before the end of the working day.

References

  1. Fortinet says credential-harvesting campaign is targeting its firewalls and VPN
  2. FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Firewalls
  3. FortiBleed Fortinet VPN Credentials and Firewall Exposed
  4. 6 Things to Know About the FortiBleed Credential Campaign
  5. Fortinet FortiBleed Global Compromise and Active Exploitation of Fortinet Vulnerabilities
  6. FortiBleed Exposes Global Credential-Spraying Operation

This post is also available in: Svenska

Per Häggdahl

By Per Häggdahl

Works as CSO/CISO. Has worked with the delivery of secure systems to banks, central banks, stock exchanges, and central securities depositories for over 20 years.

Related News

All Cyber News