Fortinet's FortiBleed campaign involves threat actors harvesting credentials for Fortinet devices globally by reusing credentials from earlier incidents involving authentication bypass vulnerabilities (CVE-2026-24858, CVE-2025-59718, CVE-2025-59719) and employing brute-force techniques against devices lacking strong password hygiene and MFA. No new vulnerabilities are exploited. The campaign resulted in a database of over 86,000 valid credentials across 194 countries. Fortinet has provided remediation guidance previously and urges customers to ensure patches are applied, credentials rotated, MFA enabled, and external management restricted. The vendor is actively notifying impacted customers and working with law enforcement.

The campaign has led to the compromise of over 86,000 valid credentials for Fortinet devices worldwide, potentially allowing unauthorized access to affected firewalls and VPNs. This can result in unauthorized administrative access, exposure of internal networks, and potential further compromise. However, no new vulnerabilities are exploited; the impact arises from weak password practices and lack of MFA. The threat affects a large number of devices globally.

Fortinet has released patches for the underlying authentication bypass vulnerabilities (CVE-2026-24858, CVE-2025-59718, CVE-2025-59719) and provided detailed remediation guidance. Customers should ensure all patches are applied, rotate all administrator and VPN credentials, terminate existing admin and VPN sessions, and enable multi-factor authentication on all accounts. Additionally, review firewall and VPN configurations for unauthorized changes, check logs for unexpected access, and restrict external management access to trusted hosts. Fortinet is actively notifying impacted customers and working with law enforcement. Patch status is confirmed as fixed for the referenced CVEs.