What Happened
A threat actor group operating under the banner “FortiBleed” has been systematically compromising Fortinet FortiGate firewalls and VPN gateways using previously stolen credentials and brute-force attacks. The attackers are actively using compromised appliances to deploy ransomware across victim organisations. SOCRadar reports that a group of approximately 20 individuals with specialised roles (intrusion, support, post-exploitation) are behind the campaign. An estimated 74,000 stolen Fortinet firewall and VPN credentials were advertised for sale in June 2026. At least twelve organisations have been confirmed as ransomware victims, with hundreds of systems encrypted.
Affected Products
- Fortinet FortiGate firewalls — all models
- Fortinet VPN gateways — all models
The compromise is credential-based rather than product-specific — any version with internet-exposed administrative interfaces using weak or reused credentials is at risk.
Exploited?
Yes — ongoing active campaign with confirmed ransomware victims. The attackers have compromised at least twelve organisations using credential access from compromised FortiGate appliances. The campaign involves: 1) Credential harvesting through brute force and configuration dumping, 2) Password hash cracking, 3) Lateral movement into internal networks, 4) Ransomware deployment. The attack pattern does not rely on a specific software vulnerability — it exploits weak credential hygiene on internet-facing Fortinet appliances.
Mitigation
- Immediately rotate all FortiGate and FortiVPN administrative passwords.
- Enforce multi-factor authentication (MFA) on all administrative interfaces.
- Restrict administrative access to trusted IP addresses only — do not leave admin panels exposed to the internet.
- Audit logs for signs of unauthorised access, configuration changes, or unknown administrative sessions.
- Apply latest FortiOS firmware to ensure all known vulnerabilities are patched.
Recommendations
- Assume compromise: If your FortiGate admin interface has been exposed to the internet and uses standard credentials, assume your credentials are in the leaked dataset.
- Conduct forensic review: Check VPN and firewall logs for unauthorised connections from unexpected IPs, especially those matching patterns from credential stuffing campaigns.
- Implement zero-trust network access (ZTNA) for VPN and management interfaces.
- Follow CISA guidance: CISA has issued device hardening recommendations following the credential leak.
References
- Cybersecurity Dive: CISA Device Hardening After Fortinet Credential Compromise
- Security.nl: Gehackte Fortinet-firewalls gebruikt voor ransomware-aanvallen
- SOCRadar research on FortiBleed campaign
Part of the Vulnerability Intelligence series on threat-modeling.com. July 5, 2026 Report.
