

Fortinet FortiGate firewalls and VPN appliances with management interfaces exposed to the internet, particularly those using default, reused, or previously leaked credentials. Affected sectors include government, telecommunications, healthcare, and critical infrastructure globally.
A large-scale threat campaign dubbed FortiBleed is targeting Fortinet FortiGate firewalls and VPN appliances. Unlike traditional vulnerability exploitation, this campaign is characterized by automated, large-scale credential abuse. Threat actors use previously leaked, reused, or default credentials to systematically scan for internet-exposed Fortinet management interfaces and attempt authentication at scale. Upon successful login, attackers gain legitimate administrative access and can operate undetected within trusted network boundaries.
Campaign reported 18 June 2026. Operation already confirmed to have impacted tens of thousands of devices across hundreds of countries. Victim organizations include major global enterprises. Hudson Rock launched a free lookup portal for organizations to check whether their domains appear in the compromised dataset.
Any internet-exposed Fortinet management interface using credentials that appear in leaked credential databases, are set to defaults, or have been reused across services. The campaign uses automated scanning infrastructure supported by centralized databases of tens of thousands of verified working credentials.
This is not a software vulnerability exploitation campaign. The root cause is credential hygiene failure: use of default credentials, credential reuse across services, and the presence of Fortinet management interfaces exposed directly to the public internet. Once attackers authenticate with valid credentials, they operate with full administrative legitimacy, making detection through traditional signature-based controls difficult.
Post-authentication capabilities observed include monitoring and intercepting network traffic through the firewall, capturing additional credentials including VPN and user authentication data, extracting sensitive configuration data such as firewall rules, network topology, and VPN settings, and establishing persistent access for long-term operations.
Automated tooling scans for internet-exposed Fortinet management interfaces, then attempts authentication using credential databases sourced from prior breaches and leaked data. On successful login, attackers conduct reconnaissance and credential harvesting silently. Deeper compromises observed in Japan, Taiwan, Vietnam, Iraq, and Turkey, including a NATO defense contractor where classified documents were allegedly stolen. Reported victim organizations include Samsung, Oracle, Foxconn, Comcast, Siemens, Lenovo, Spotify, and Sony.
Attackers with administrative access to FortiGate devices can monitor all network traffic passing through the firewall, harvest VPN and user authentication credentials, extract full network topology and firewall rule sets, and pivot into internal environments. Persistent access can be maintained through backdoor account creation and security control tampering. In the most severe confirmed cases, classified documents were exfiltrated.
Risk is rated Critical across all organisation sizes in both government and commercial sectors. The scale of the campaign, tens of thousands of confirmed compromises across hundreds of countries, and the presence of Fortune 500 victims demonstrates the breadth of exposure. The campaign requires no software vulnerability, only weak credential hygiene, making it accessible to a wide range of threat actors.
Immediately ensure the FortiOS Management Interface is not exposed to the public internet unless absolutely necessary. Upgrade to the latest FortiOS release and force all administrators to log back in to trigger password re-hashing to the more secure PBKDF2 standard. Enable Multi-Factor Authentication universally on all external gateways and admin interfaces to neutralize stolen plaintext credentials. Proactively monitor employee and third-party vendor credentials against threat intelligence databases to identify compromised passwords before they are used against your perimeter.
If any suspicious successful logins to admin accounts are observed, treat the device as compromised. Attackers may have altered security controls or created backdoor accounts. In severe cases, replacing the device entirely may be required.
Check your organisation's domains against the Hudson Rock FortiBleed lookup portal at hudsonrock.com/fortinet. Review all administrative accounts for unauthorized additions or modifications. Audit firewall rules and VPN configurations for unexpected changes. Isolate affected devices if compromise is suspected and conduct a full forensic review before returning them to service. Reset all credentials associated with the affected device and connected systems.
HackRead - FortiBleed Attack Targets Fortinet Firewalls Using Credentials. Hudson Rock Blog - FortiBleed: 75,000 Fortinet Firewalls Compromised. Hudson Rock Fortinet Lookup Portal: hudsonrock.com/fortinet.
Trusted by clients worldwide






Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.




