The FortiBleed attack is the biggest Fortinet security breach on record. A Russian speaking threat group stole working admin and VPN passwords from 86,644 FortiGate firewalls across 194 countries. CISA confirmed active attacks on June 18, 2026. The UK NCSC issued a global warning the same day. So, if your team runs a Fortinet FortiGate firewall or SSL VPN gateway, treat your network as already breached until you rotate every password and verify your device is clean.
This FortiBleed attack is not a zero day. Notably, it does not use a new software flaw. Instead, threat actors reused passwords from two prior Fortinet incidents. They cracked weak legacy password hashes offline using a 45 GPU cluster. They also brute forced devices that lacked strong passwords and MFA. The result is a live database of working passwords being traded and used for access right now.
Named victims include Samsung, Siemens, Oracle, DHL, Accenture, Infosys, and Foxconn. Also confirmed is the theft of classified defence documents from a Turkish NATO contractor. This FortiBleed attack therefore hits every sector, every country, and every size of business with an internet facing Fortinet device.
Why the FortiBleed Attack Demands Immediate Action
This level of urgency mirrors what we covered in our Splunk Enterprise vulnerability breakdown, where CISA also mandated emergency password resets under a three day deadline.
What Is the FortiBleed Attack
The FortiBleed attack is a large scale automated campaign. Threat actors scanned the internet for FortiGate firewalls. They pulled config files from those devices. They then cracked the password hashes stored inside those files offline. Finally, they tested each cracked password against the live device to confirm it still worked.
The name FortiBleed reflects the bleeding of working admin and VPN passwords from devices that businesses believed were secure. Researcher Volodymyr Diachenko exposed the FortiBleed attack on June 13, 2026. He found the threat actor's server sitting open on the public internet.
Why the FortiBleed Attack Worked at Such Scale
The FortiBleed attack worked because of one key weak point. FortiOS stores admin passwords as SHA-256 hashes in config files. SHA-256 is a weak method by modern standards. A 45 GPU cracking cluster can crack SHA-256 hashes at huge speed offline. So, no alerts fire on the victim's network during this stage.
Fortinet moved to stronger PBKDF2 password hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1. However, when admins upgrade from older firmware, existing passwords stay as SHA-256 hashes. They only migrate after the admin logs in after the upgrade. As a result, many devices upgraded but never triggered the hash migration. Their passwords stayed crackable for months after the firmware update.
FortiBleed Attack Scale by the Numbers
-
86,644 FortiGate devices confirmed hacked
-
194 countries affected across every major region
-
More than 21,600 unique domains in the dataset
-
About 50 percent of all internet facing Fortinet devices hit
-
45 GPU cracking cluster used for offline SHA-256 cracking
-
Top countries hit: India, the United States, and Mexico
-
Samsung, Siemens, Oracle, DHL, Accenture among named victims
-
Turkish NATO contractor lost classified defence files
-
Campaign started as early as May 19, 2026 per SpyCloud research
-
Dataset sorted by country, sector, and company revenue
When and How the FortiBleed Attack Was Found
The FortiBleed attack was found fast. Multiple research firms confirmed it within days. Here is the full timeline.
FortiBleed Attack Full Timeline
-
May 19 2026: Campaign starts per SpyCloud research
-
June 13: Researcher Diachenko finds the open attack server and names it a Russian speaking group operation
-
Same day: Kevin Beaumont confirms cracked passwords are real via controlled tests with affected firms
-
June 16: SOCRadar and Hudson Rock publish their full analysis
-
Next day June 17: BleepingComputer reports 73,932 passwords exposed
-
June 18: CISA issues emergency advisory on active attacks
-
UK NCSC June 18: Global warning about FortiBleed issued worldwide
-
June 19: Fortinet PSIRT confirms the FortiBleed attack uses recycled passwords from FG-IR-26-060 and FG-IR-25-647
-
By June 22 2026: Confirmed device count reaches 86,644 firewalls
Also notable, multiple firms confirmed the data independently. Recorded Future, Arctic Wolf, Hudson Rock, Bitsight, and Field Effect all checked the passwords. They found them to be real. So this is one of the most confirmed cyber theft events in history.
How the FortiBleed Attack Works Step by Step
Defenders need to know each step of this attack. So, let me walk through the full chain from scan to breach.
Step 1: The FortiBleed Attack Starts With Mass Scanning
First, attackers scan the internet for FortiGate firewalls. They look for any device with a public facing admin portal or SSL VPN login page. Shodan makes this fast and cheap. Every device that responds goes on their target list.
Step 2: Config File Extraction Gives the FortiBleed Attack Its Data
Next, attackers pull config backup files from exposed devices. These files hold hashed admin and VPN passwords. Attackers use known leaked Fortinet passwords and brute force to get their first login. Also, once they access a device, they set up packet sniffing. This captures NTLM and Kerberos hashes from SSL VPN traffic passing through. So every Active Directory account on the internal network is then at risk, not just the firewall admin accounts.
Step 3: Offline GPU Cracking Makes the FortiBleed Attack Silent
After pulling the files, attackers crack the SHA-256 hashes offline using a 45 GPU Hashtopolis managed cracking cluster. This happens on their own machines. Your network sees zero failed login attempts. No alerts fire. The cracking is silent and leaves no trace on your systems. Furthermore, the cluster runs on Telegram bot automation. This means the campaign scales easily and processes millions of hashes with very little manual work.
Step 4: The FortiBleed Attack Verifies Every Password
Once cracked, each password is tested against the live device. Only confirmed working passwords go into the final dataset. The dataset is then sorted by country, sector, and company revenue. It is sold on dark web markets and used directly by the threat group for access.
Step 5: How the FortiBleed Attack Moves Inside Your Network
After gaining access, attackers use the hacked device as a monitoring post. They read all SSL VPN traffic passing through it. They also use AD and LDAP scanning scripts to map the internal network. Finally, password spraying tools target Windows accounts from inside the network. So, the FortiBleed attack turns your firewall into a door into your entire organisation.
Why the FortiBleed Attack Has No Single CVE Number
FortiBleed is a campaign, not one flaw. It combines recycled passwords from FG-IR-26-060 and FG-IR-25-647, weak SHA-256 hashing, no MFA, and poor password habits. Because no new software flaw drives the attack, there is no single patch that closes it. Defenders cannot simply apply one update and move on. Therefore, a full response requires credential resets, MFA setup, firmware upgrades, and config reviews all together.
Why the FortiBleed Attack Puts Every Business at Risk
This breach does not just hit large enterprises. It reaches every business with an internet facing Fortinet device.
How the FortiBleed Attack Hits Large Enterprises
-
Named victims include Samsung, Siemens, Oracle, DHL, and Accenture
-
A Turkish NATO contractor lost classified defence files
-
Government networks in 194 countries appear in the dataset
-
Enterprises using FortiGate for edge security now face the risk that their firewall admin accounts are in attacker hands
-
Active Directory networks linked to FortiGate SSL VPN face the widest lateral movement risk
How the FortiBleed Attack Hits Small and Mid-Size Businesses
-
Smaller businesses often run FortiGate as their only edge device
-
They have no layered security to spot lateral movement after a breach
-
Limited IT staff means password resets may take days to complete
-
Many SMBs lack SIEM coverage to find the silent packet sniffing used after attackers gain firewall access
Cloud and Hybrid Network Risk From the FortiBleed Attack
-
VPN passwords in the dataset can open cloud workloads protected by the hacked Fortinet gateway
-
Cloud services accessible through FortiGate SSL VPN are exposed even if those services were not directly targeted
-
Hybrid networks where FortiGate links on-site and cloud systems face the widest blast zone of any environment type
Financial and Legal Exposure
-
Any confirmed password theft triggers breach alert duties under GDPR, HIPAA, and state data protection laws
-
Reviewing a hacked edge firewall is very costly because every internal system it touched must be checked
-
Lost classified files in a contractor setting carry direct legal and national security consequences
For more context on how threat actors use stolen passwords to move through networks, see our GammaWorm malware detection guide.
Five Real-World FortiBleed Attack Scenarios
Scenario 1: Admin Password Sold on Dark Web Leads to Ransomware
A threat actor finds an admin password from a large company's FortiGate in the FortiBleed dataset. They sell that access on a dark web forum. A ransomware group buys it for a few thousand dollars. They use it to reach internal systems and deploy ransomware. The entire attack starts from one cracked SHA-256 hash. The victim has no idea their firewall password was in the FortiBleed attack dataset.
Scenario 2: State Actor Uses FortiBleed to Enter a Government Network
A state linked group uses FortiBleed attack data to log in to a government agency's SSL VPN. They gain access to the internal network. Over weeks, they scan Active Directory, move to file servers, and steal sensitive files. The initial login leaves no trace because it uses a real, working password. Standard perimeter tools see only a normal VPN session.
Scenario 3: MSP Breach Spreads to Every Client
A managed service provider runs FortiGate for dozens of client networks. Their admin passwords appear in the FortiBleed dataset. An attacker logs in, reaches the MSP management network, and pivots to every client network managed through that device. One cracked hash becomes dozens of client breaches at once.
Scenario 4: Patch Applied But Passwords Not Reset After Upgrade
A business upgrades to FortiOS 7.4.8 after hearing about FortiBleed. However, they do not reset admin passwords after the upgrade. Existing passwords remain as SHA-256 hashes until each admin logs in after the update. Their old hashes are already in the attacker dataset. The upgrade closes future risk but does not remove the already cracked passwords from the dataset or from circulation.
Scenario 5: VPN Password Opens Cloud Systems
An attacker finds VPN user passwords in the FortiBleed attack dataset for a cloud connected business. Those passwords give SSL VPN access to the corporate network. From there, the attacker reaches cloud management tools, steals API keys and cloud tokens, and moves through cloud systems. The firewall was meant to protect the cloud. Instead, the FortiBleed attack turned it into the entry point.
How to Find Signs of a FortiBleed Attack on Your Network
Detection is harder than normal because the initial password theft leaves no logs on your systems. However, defenders can still hunt for signs of a breach.
Check If Your Devices Are in the FortiBleed Attack Dataset
First, go to SOCRadar's free FortiBleed checker. Also, Recorded Future is alerting affected customers directly. Check both sources today. If your domain appears, treat every FortiGate admin and VPN account as fully hacked right now.
Log Review for Signs of a FortiBleed Attack
-
Review all admin session logs for logins from unknown IP addresses or odd locations since May 19, 2026
-
Hunt for new admin accounts with names like forticloud, fortiuser, fortinet support, or fortinet tech support
-
Flag unexpected changes to firewall rules or VPN settings
-
Audit any new SSL VPN user accounts not added by your team
-
Check logs for admin sessions at hours your team does not work
SIEM and EDR Rules to Build for FortiBleed Attack Detection
Build these rules in your SIEM right now:
-
Alert on any FortiGate admin login from an IP not on your approved admin list
-
Correlate FortiGate logins with AD scanning activity inside the network shortly after
-
Flag password spraying from internal hosts not normally used for login requests
-
Alert on new local admin accounts on any FortiGate device
-
Detect Telegram bot traffic from any internal host
Threat Hunting Steps for the FortiBleed Attack
Run these hunts across your environment immediately:
-
Search for spray_results.txt or ad_enum.py on any internal system that should not have them
-
Review SSL VPN session logs for data spikes since May 19, 2026
-
Check FortiGate config backups for SHA-256 hashes in the old password setting
-
Hunt for LDAP or AD scanning tools on hosts your team did not add
-
Inspect /root/.ssh/authorized_keys on any FortiGate for unknown entries
For a deeper look at how to build a threat hunting practice around these types of attacks, see our RoguePlanet exploit breakdown.
How to Respond to a FortiBleed Attack on Your Network
Act today. Every hour of delay extends your risk. Follow these five steps in order.
Step 1: End All Sessions and Reset Every Password Now
Do this before anything else in response to a FortiBleed attack:
-
End all active admin sessions on every FortiGate device right now
-
Close all active SSL VPN sessions immediately
-
Reset every admin password on every FortiGate device today
-
Change every SSL VPN user password today
-
Set strong unique passwords of at least 16 characters
-
Prioritise internet facing and externally managed devices first
Step 2: Turn On MFA for Every Account
-
Enable MFA for every FortiGate admin account without exception
-
Set up MFA for every SSL VPN user account
-
Use FIDO2 or hardware tokens where possible
-
Block any legacy login methods that let users skip MFA
-
Confirm MFA works on every account before moving to the next step
Step 3: Upgrade FortiOS and Run the PBKDF2 Migration
-
Upgrade to FortiOS 7.2.11, 7.4.8, 7.6.1, or 8.0 or later
-
After upgrading, ask every admin to log in once. This starts the move from SHA-256 to PBKDF2 password hashing automatically
-
If that is not practical, reset remaining admin passwords manually using a super admin account
-
Run the set login lockout upon weaker encryption command to remove legacy SHA-256 hashes from the old password setting
-
Confirm no SHA-256 hashes remain in any config backup file
Step 4: Remove Internet Exposure From Management Interfaces
-
Take FortiGate management portals off the public internet right now
-
Limit admin access to a dedicated management VLAN or jump host
-
Apply strict IP approved IP listing to admin access
-
Block public access to SSL VPN login pages where your business allows it
-
Confirm your attack surface is smaller before treating the device as clean
Step 5: Review and Clean Your FortiGate Config
-
Check every firewall user for accounts your team did not create
-
Audit every VPN user account and remove unknown entries
-
Review all firewall rules and routing for changes outside your change records
-
Confirm no rogue admin accounts exist on any device
-
Take a clean config backup only after completing all steps above
For Fortinet's official response to the FortiBleed attack, review the Fortinet PSIRT advisory
What the FortiBleed Attack Tells Us About the Threat Landscape
FortiBleed is not just a Fortinet problem. It points to wider trends every security leader must act on right now.
Legacy Password Hashing Is a Hidden Risk Across the Industry
SHA-256 is too weak for storing admin passwords in 2026. FortiBleed shows what happens when legacy hashing survives after a vendor moves to stronger methods. So, your team should audit how every edge device you manage stores its passwords, not just FortiGate. Weak hashing on any perimeter device creates the same risk.
The FortiBleed Attack Shows Initial Access Brokers Are Growing
The FortiBleed attack dataset is being sold on dark web markets right now. Brokers sell working FortiGate admin access to ransomware groups, state actors, and criminals. Specifically, this means the risk does not end when you reset your passwords. If your old passwords were already sold, a buyer may use them before you finish your reset.
Silent Credential Theft Defeats Perimeter Only Security
The offline SHA-256 cracking in the FortiBleed attack produces no logs on your network. There are no failed logins to alert on. There is no odd traffic to flag. In fact, defenders using only perimeter tools have no way to catch this step. Behavioural detection inside your network is therefore the only way to find the FortiBleed attack in action.
MFA Stops the FortiBleed Attack Dead
Every Fortinet advisory, CISA warning, and researcher recommendation for the FortiBleed attack leads with the same step: enable MFA now. However, most of the 86,644 hacked devices lacked MFA on admin and VPN accounts. That means a control that takes minutes to enable would have blocked this entire campaign for most victims. MFA is not optional on internet facing network devices in 2026.
Key Takeaway on the FortiBleed Attack
The FortiBleed attack is the largest password exposure event in Fortinet's history. A Russian speaking threat group built a fully automated pipeline to scan, extract, crack, and verify FortiGate admin passwords at global scale. The result is a live database of 86,644 working passwords being used and sold right now.
This is not a theory. CISA, NCSC, Fortinet, SOCRadar, Recorded Future, Arctic Wolf, and Hudson Rock have all confirmed the passwords are real and the FortiBleed attack is ongoing.
What to Do Right Now for the FortiBleed Attack
-
End all active FortiGate admin and SSL VPN sessions right now
-
Reset every admin and VPN password on every FortiGate today
-
Enable MFA on every admin and VPN account without exception
-
Upgrade to FortiOS 7.4.8, 7.6.1, or 8.0 and run the PBKDF2 migration after upgrading
-
Run the set login lockout upon weaker encryption command to remove all legacy SHA-256 hashes
-
Remove internet exposure from all FortiGate management interfaces
-
Check if your domain is in the SOCRadar FortiBleed checker tool
-
Review all user accounts on every device for rogue additions
-
Check all config changes since May 19, 2026 for unknown edits
-
Contact Fortinet FortiGuard Incident Response if you suspect your internal network has been breached
The FortiBleed attack is a clear reminder. Your firewall is not just a tool. It is a target. Treat it like your most sensitive server. Harden it, monitor it, and reset its passwords on a regular schedule. The attacker who owns your firewall owns everything behind it.
Frequently Asked Questions About the FortiBleed Attack
Basic Questions About the FortiBleed Attack
What is the FortiBleed attack?
The FortiBleed attack is a large scale automated campaign that exposed working admin and VPN passwords for 86,644 Fortinet FortiGate firewalls across 194 countries. A Russian speaking threat group pulled config files from internet facing FortiGate devices, cracked the legacy SHA-256 password hashes offline using a 45 GPU cluster, and verified each cracked password against the live device. The result is a live database of working firewall admin passwords being sold and used for network access right now.
Is the FortiBleed attack still active?
Yes. The FortiBleed attack was confirmed active as of June 22, 2026. CISA added it to its active advisory catalog on June 18, 2026. The UK NCSC issued a global warning the same day. SOCRadar and Fortinet both confirmed the campaign is ongoing. Any internet facing FortiGate device with passwords not yet reset after the FortiBleed attack went public is still at risk.
Does the FortiBleed attack use a new vulnerability?
No. The FortiBleed attack does not use a new zero day flaw. It combines recycled passwords from two prior Fortinet incidents tracked as FG-IR-26-060 and FG-IR-25-647, legacy SHA-256 password hashing, absent MFA, and weak password habits. Because no new CVE drives the attack, patching alone does not close the exposure. A full response requires password resets, MFA setup, firmware upgrades, and a config review all done together.
Technical Questions About the FortiBleed Attack
How does the FortiBleed attack crack passwords?
The FortiBleed attack cracks passwords using offline GPU based hash cracking. Attackers pull FortiGate config files that hold admin passwords stored as SHA-256 hashes. SHA-256 is a fast, weak hash method. A 45 GPU Hashtopolis managed cluster can crack thousands of SHA-256 hashes per second. This happens on the attacker's own machines. No alerts fire on your network. No logs are created on your systems.
Why are so many devices at risk from the FortiBleed attack?
So many devices are at risk because of a specific firmware upgrade gap. Fortinet moved to stronger PBKDF2 hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1. However, existing passwords stay as SHA-256 hashes after an upgrade until the admin logs in again. Many businesses upgraded their firmware but never triggered the hash migration step. Their old SHA-256 hashes stayed in the config files and became easy targets for the FortiBleed attack.
Response Questions About the FortiBleed Attack
How should businesses respond to the FortiBleed attack?
Businesses must act in five steps. First, end all active admin and SSL VPN sessions on every FortiGate device. Second, reset every admin and VPN password using strong unique credentials of at least 16 characters. Third, enable MFA on every admin and VPN account without exception. Fourth, upgrade FortiOS and complete the PBKDF2 hash migration. Fifth, remove internet exposure from FortiGate management interfaces and check all accounts and configs for signs of breach since May 19, 2026.
