FortiBleed Campaign: Compromised Fortinet Firewalls Used for Ransomware Deployment — 74,000 Credentials at Risk

FortiBleed Campaign: Compromised Fortinet Firewalls Used for Ransomware Deployment — 74,000 Credentials at Risk


What Happened

A threat actor group operating under the banner “FortiBleed” has been systematically compromising Fortinet FortiGate firewalls and VPN gateways using previously stolen credentials and brute-force attacks. The attackers are actively using compromised appliances to deploy ransomware across victim organisations. SOCRadar reports that a group of approximately 20 individuals with specialised roles (intrusion, support, post-exploitation) are behind the campaign. An estimated 74,000 stolen Fortinet firewall and VPN credentials were advertised for sale in June 2026. At least twelve organisations have been confirmed as ransomware victims, with hundreds of systems encrypted.


Affected Products

  • Fortinet FortiGate firewalls — all models
  • Fortinet VPN gateways — all models

The compromise is credential-based rather than product-specific — any version with internet-exposed administrative interfaces using weak or reused credentials is at risk.


Exploited?

Yes — ongoing active campaign with confirmed ransomware victims. The attackers have compromised at least twelve organisations using credential access from compromised FortiGate appliances. The campaign involves: 1) Credential harvesting through brute force and configuration dumping, 2) Password hash cracking, 3) Lateral movement into internal networks, 4) Ransomware deployment. The attack pattern does not rely on a specific software vulnerability — it exploits weak credential hygiene on internet-facing Fortinet appliances.


Mitigation

  • Immediately rotate all FortiGate and FortiVPN administrative passwords.
  • Enforce multi-factor authentication (MFA) on all administrative interfaces.
  • Restrict administrative access to trusted IP addresses only — do not leave admin panels exposed to the internet.
  • Audit logs for signs of unauthorised access, configuration changes, or unknown administrative sessions.
  • Apply latest FortiOS firmware to ensure all known vulnerabilities are patched.

Recommendations

  • Assume compromise: If your FortiGate admin interface has been exposed to the internet and uses standard credentials, assume your credentials are in the leaked dataset.
  • Conduct forensic review: Check VPN and firewall logs for unauthorised connections from unexpected IPs, especially those matching patterns from credential stuffing campaigns.
  • Implement zero-trust network access (ZTNA) for VPN and management interfaces.
  • Follow CISA guidance: CISA has issued device hardening recommendations following the credential leak.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 5, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!