The FortiBleed campaign, identified in June 2026, targeted internet-facing Fortinet firewalls and VPNs, compromising over 86,000 devices worldwide. The attackers amassed a large database of valid credentials by intercepting SSL VPN authentications and cracking hashes with a 45-GPU cluster managed via Hashtopolis. This allowed them to conduct extensive brute-force attempts against FortiGate devices and MSSQL servers, impacting thousands of organizations including government and critical infrastructure sectors. The campaign is attributed to a Russian-speaking threat actor. CISA has issued mitigation guidance including terminating active sessions, resetting credentials, enforcing PBKDF2 for admin login storage, enabling phishing-resistant MFA, and restricting management access.

The campaign resulted in the compromise of approximately 50% of all internet-facing Fortinet firewall devices, with over 86,000 confirmed valid credentials exposed. This exposure enables attackers to gain unauthorized access to affected devices and potentially pivot into internal networks, including Active Directory environments. At least four organizations have been fully compromised. The broad impact includes major government entities and critical infrastructure providers, increasing the risk of significant operational disruption and data breaches.

CISA recommends Fortinet customers take immediate hardening actions: terminate all active sessions on affected devices, reset all credentials, ensure admin login credentials are stored using the PBKDF2 algorithm, review logs for suspicious activity, enable phishing-resistant multi-factor authentication (MFA), and restrict management access to reduce the attack surface. These steps are critical to mitigate the risk posed by the FortiBleed credential theft campaign. Patch status is not confirmed; check Fortinet advisories for updates.