FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targeting FortiGate Devices

Fortinet has issued an urgent security advisory warning customers of an ongoing credential-harvesting campaign targeting FortiGate appliances, dubbed “FortiBleed” by threat researchers.

According to the company’s analysis shared by Carl Windsor, the activity does not stem from a new vulnerability but rather exploits previously disclosed security gaps combined with poor password hygiene and absent multi-factor authentication (MFA).

“FortiBleed” impacts up to 86,000 internet-facing FortiGate firewalls and VPN appliances across 194 countries, making it one of the most significant Fortinet security incidents to date.

FortiBleed is not a zero-day. Fortinet’s investigation indicates threat actors are recycling credentials from two previously documented incidents — tracked as FG-IR-26-060 and FG-IR-25-647 and pairing them with AI-accelerated brute-force techniques against internet-exposed FortiGate devices that lack strong credential controls.

Fortinet noted that this campaign is unrelated to any recent vulnerability disclosure, stressing that customers who completed remediation steps from the earlier advisories should not be affected.

The company confirmed it has proactively identified potentially compromised systems and is contacting impacted customers directly, while also coordinating with relevant government agencies.

The primary attack vector involves weak or reused administrative and VPN credentials on internet-facing FortiGate appliances, amplified by the absence of MFA.

Once threat actors gain access, observed post-exploitation behavior includes unauthorized configuration changes, creation of rogue accounts (flagged examples include usernames such as “forticloud,” “fortiuser,” “fortinet-support,” and “fortinet-tech-support”), and potential lateral movement into internal networks, particularly through Active Directory or LDAP-integrated environments.

CISA has issued an urgent advisory warning organizations to secure their Fortinet devices following reports of a large-scale credential exposure campaign

Fortinet is urging all FortiGate customers to take the following actions without delay:

• Terminate all admin and VPN sessions and immediately reset all Fortinet VPN and administrative credentials, particularly on internet-facing systems
• Enforce MFA across all administrator and VPN user accounts
• Upgrade FortiOS to versions 7.4, 7.6, or 8.0, which support PBKDF2 hashing for administrator credentials; remove legacy password settings using set login-lockout-upon-weaker-encryption
• Audit configurations against a known-good baseline, paying close attention to unauthorized account additions or policy changes
• Review logs for unexpected administrative access from unknown IPs and monitor domain controller logs for signs of lateral movement or suspicious account activity
• Restrict management access by limiting it to trusted hosts, applying local-in policies, or removing internet-facing administration entirely

Organizations that discover unauthorized configuration changes, unrecognized VPN users, or unexpected password resets should treat their devices as fully compromised.

Fortinet recommends following its published incident recovery guidance and, if AD/LDAP integration is in place, treating those accounts as compromised and monitoring the directory for anomalous authentication or new account creation.

For organizations suspecting internal network compromise, Fortinet’s FortiGuard Incident Response team is available for scoping engagements.

The campaign’s reliance on previously exposed credentials rather than novel exploits highlights the critical importance of completing vendor-issued remediation steps promptly and enforcing consistent MFA and strong password policies across all administrative interfaces.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.