86,644 FortiGate devices have been identified as compromised as of June 19, 2026.
CISA’s public warning and immediate steps
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take defensive steps after a sweeping campaign—codenamed FortiBleed—targeted thousands of internet‑accessible devices. CISA’s guidance calls for decisive, operational changes: terminate active SSL VPN and administrative sessions, reset Fortinet VPN and administrative passwords (especially on internet‑facing systems), and enforce strong password policies; ensure administrator credentials are stored using PBKDF2 rather than legacy hashes; review firewall, VPN, authentication, and domain controller logs for suspicious activity; enable phishing‑resistant multi‑factor authentication (MFA) on external gateways and administrative interfaces; and reduce and lock down management and the attack surface.
How FortiBleed operates: a self‑sustaining, two‑step automated campaign
Researchers describe FortiBleed as a fully automated, two‑step mass campaign. First, the actor mass‑scans the internet for Fortinet remote login endpoints and attempts a curated list of leaked Fortinet passwords against those devices. Second, when access is obtained, the actor passively monitors network traffic through compromised appliances to harvest additional credentials and then uses those to expand the pool of compromised devices. The attackers verify each credential before adding it to a database of working logins, turning initial hits into a continuously growing, validated resource for further compromise.
Credential sources, hashing weaknesses, and the role of reuse
Data from SOCRadar shows a stark credential picture: generic admin accounts account for 35% of compromised credentials, built‑in Fortinet system accounts 28.3%, with organization‑specific accounts making up 36.7% of the remainder. SOCRadar said, "This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed." The firm added that org‑specific accounts "means the attacker is not just harvesting default credentials but has also successfully compromised accounts created by the organizations themselves, possibly sourced from prior breaches where passwords were never changed."
Arctic Wolf highlighted a product‑level factor that likely amplified the campaign: Fortinet introduced PBKDF2‑based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing a legacy SHA‑256‑based storage mechanism. But when organizations upgrade from earlier versions, existing administrator passwords remain stored as SHA‑256 hashes until the corresponding administrator successfully logs in after the upgrade, meaning many organizations may still store credentials with older SHA‑256 with salt hashing.
Sectors, geography, and the exposed infrastructure
SOCRadar and other researchers report that telecom, government, and education are the three most impacted sectors. The most exposures were located in India, the U.S., Mexico, Colombia, and Thailand. The incident’s reach is international: security researcher Volodymyr "Bob" Diachenko discovered a server staging the attacker’s tools and hosting a database of working login credentials for thousands of firewalls and VPN gateways across 194 countries.
What this means for technologists, procurement leaders, and the public
- Technologists and security teams: Expect to prioritize immediate password rotation, session termination, log review, and enforcement of PBKDF2 storage and phishing‑resistant MFA on exposed administrative interfaces, following CISA’s explicit checklist.
- Procurement and IT leaders: The campaign underscores the operational risk of default or factory credentials and the need to verify configuration hygiene during upgrades—Fortinet’s own upgrade behavior leaves legacy hashes in place until an admin logs in, per Arctic Wolf’s account.
- The public and nontechnical stakeholders: The incident illustrates how credential reuse and poor password hygiene can be weaponized; perimeter appliances remain a lucrative avenue for initial enterprise access, and organizations should take the CISA mitigations seriously to limit spillover risk.
Fortinet characterized the exposed data differently in a statement shared with The Hacker News, saying "the data involved is likely a resharing of data from previous incidents, as well as brute‑forcing of credentials, and not related to any current incident or advisory," and urged organizations to rotate credentials regularly and enable MFA. Other observers stressed the scale: "The scale of this breach touches nearly every sector of the global economy, sparing no industry," Hudson Rock said, warning that the attackers "have built a verified database of working credentials for some of the largest enterprises on the planet."
The immediate facts are stark: a validated database of credentials, automated credential spraying and harvesting, legacy hashing remaining in many upgraded systems, and tens of thousands of exposed FortiGate devices spanning the globe. CISA’s checklist gives organizations a concrete playbook to contain active sessions, reset credentials, harden storage and access, and hunt for signs of further intrusion. The unanswered operational task is whether organizations that upgraded FortiOS without forcing credential rehashing have acted quickly enough to prevent their SHA‑256‑hashed admin accounts from becoming entry points in the next wave of compromise.
