FortiBleed campaign used custom FortiGate sniffer to steal credentials
The FortiBleed campaign is a large-scale operation targeting Fortinet FortiGate firewalls using a custom sniffer tool to harvest authentication credentials. The attackers gain administrative access through credential stuffing and brute-force attacks, then deploy a Golang-based sniffer leveraging FortiOS's built-in diagnose sniffer packet command to capture authentication traffic. This tool monitors multiple protocols to extract credentials, password hashes, and authentication secrets, which are then cracked using GPU-accelerated tools. The campaign has been active since at least February 2026 and has targeted over 430,000 FortiGate devices worldwide. Fortinet states this is not a new vulnerability but a collection of previously compromised credentials. Organizations using FortiGate devices should investigate potential compromises and review targeted IP addresses.
AI Analysis
Technical Summary
The FortiBleed campaign involves threat actors deploying a custom tool named "FortigateSniffer" on compromised FortiGate firewalls after gaining administrative access via credential stuffing and brute-force attacks. This tool abuses the legitimate FortiOS diagnose sniffer packet command to capture network traffic containing authentication data across 24 protocols, including RADIUS, NTLM, Kerberos, LDAP, SMTP, and database protocols. Captured data is processed and parsed to extract cleartext credentials and password hashes, which are then cracked using GPU-accelerated Hashcat clusters rented from a third party. The campaign has been active since at least February 2026, targeting over 430,000 devices globally. Fortinet has clarified that this campaign exploits compromised credentials rather than a new vulnerability in FortiGate devices.
Potential Impact
The campaign results in the theft of authentication credentials, including cleartext passwords, password hashes, Kerberos tickets, and other authentication artifacts from FortiGate firewalls. This enables attackers to gain unauthorized access to corporate networks and potentially escalate privileges. The widespread targeting of over 430,000 devices increases the risk of large-scale credential compromise and subsequent network intrusions. The use of GPU-accelerated cracking significantly reduces the time needed to recover plaintext passwords from hashes, increasing the threat's effectiveness.
Mitigation Recommendations
Fortinet has indicated this is not a new vulnerability but a campaign exploiting previously compromised credentials. Organizations should review the list of IP addresses targeted by the campaign and investigate whether their FortiGate devices have been compromised. Immediate actions include changing all credentials associated with FortiGate devices, enforcing strong password policies, and implementing multi-factor authentication where possible. Monitoring for unauthorized administrative access attempts and disabling or restricting the use of the diagnose sniffer packet command to trusted administrators can reduce risk. Patch status is not applicable as this is not a newly discovered vulnerability; however, organizations should follow Fortinet advisories for any updates.
FortiBleed campaign used custom FortiGate sniffer to steal credentials
Description
The FortiBleed campaign is a large-scale operation targeting Fortinet FortiGate firewalls using a custom sniffer tool to harvest authentication credentials. The attackers gain administrative access through credential stuffing and brute-force attacks, then deploy a Golang-based sniffer leveraging FortiOS's built-in diagnose sniffer packet command to capture authentication traffic. This tool monitors multiple protocols to extract credentials, password hashes, and authentication secrets, which are then cracked using GPU-accelerated tools. The campaign has been active since at least February 2026 and has targeted over 430,000 FortiGate devices worldwide. Fortinet states this is not a new vulnerability but a collection of previously compromised credentials. Organizations using FortiGate devices should investigate potential compromises and review targeted IP addresses.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The FortiBleed campaign involves threat actors deploying a custom tool named "FortigateSniffer" on compromised FortiGate firewalls after gaining administrative access via credential stuffing and brute-force attacks. This tool abuses the legitimate FortiOS diagnose sniffer packet command to capture network traffic containing authentication data across 24 protocols, including RADIUS, NTLM, Kerberos, LDAP, SMTP, and database protocols. Captured data is processed and parsed to extract cleartext credentials and password hashes, which are then cracked using GPU-accelerated Hashcat clusters rented from a third party. The campaign has been active since at least February 2026, targeting over 430,000 devices globally. Fortinet has clarified that this campaign exploits compromised credentials rather than a new vulnerability in FortiGate devices.
Potential Impact
The campaign results in the theft of authentication credentials, including cleartext passwords, password hashes, Kerberos tickets, and other authentication artifacts from FortiGate firewalls. This enables attackers to gain unauthorized access to corporate networks and potentially escalate privileges. The widespread targeting of over 430,000 devices increases the risk of large-scale credential compromise and subsequent network intrusions. The use of GPU-accelerated cracking significantly reduces the time needed to recover plaintext passwords from hashes, increasing the threat's effectiveness.
Mitigation Recommendations
Fortinet has indicated this is not a new vulnerability but a campaign exploiting previously compromised credentials. Organizations should review the list of IP addresses targeted by the campaign and investigate whether their FortiGate devices have been compromised. Immediate actions include changing all credentials associated with FortiGate devices, enforcing strong password policies, and implementing multi-factor authentication where possible. Monitoring for unauthorized administrative access attempts and disabling or restricting the use of the diagnose sniffer packet command to trusted administrators can reduce risk. Patch status is not applicable as this is not a newly discovered vulnerability; however, organizations should follow Fortinet advisories for any updates.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/","fetched":true,"fetchedAt":"2026-06-22T20:24:12.651Z","wordCount":979}
Threat ID: 6a3999eceed863c81e62c3a7
Added to database: 06/22/2026, 20:24:12 UTC
Last enriched: 06/22/2026, 20:24:22 UTC
Last updated: 06/23/2026, 00:35:33 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.