Security researchers disclosed on 18 June 2026 that a credential harvesting operation they have named FortiBleed has produced a dataset of verified administrator credentials for approximately 75,000 Fortinet FortiGate firewalls. The dataset, confirmed to be circulating in criminal underground communities, covers organisations in 194 countries. Among the affected organisations identified in the data are government entities, critical infrastructure operators, and large enterprises including names such as Samsung, Siemens, Oracle, Accenture, DHL, and Foxconn.
FortiBleed is not a zero-day exploit and there is no associated CVE. The attackers did not need one. They achieved this scale through a methodical, infrastructure-heavy approach to credential harvesting that exploited a well-understood weakness in how many organisations manage internet-facing network appliances.
How FortiBleed works
The campaign was first documented by security researcher Volodymyr Diachenko, who found that a Russian-speaking multi-operator threat group had been running a sustained credential extraction effort against internet-facing FortiGate devices. The operation involved approximately 1.16 billion credential attempts against 320,777 FortiGate targets, driven by a 45-GPU cluster managed through the Hashtopolis hash-cracking framework.
The method exploits the fact that FortiGate devices expose SSL VPN endpoints to the internet by design. When an authentication attempt is made to a FortiGate SSL VPN, the device transmits an authentication hash as part of the protocol exchange. Attackers intercepted these hashes at scale, then used the GPU cluster to crack them offline. Because many organisations use relatively simple passwords for network infrastructure, or have not enforced complexity requirements on legacy devices, a significant proportion of hashes yielded working credentials.
Critically, the resulting credentials are administrator-level in many cases. An attacker holding working admin credentials for a FortiGate device can modify routing and firewall rules, extract VPN configuration and connected user data, pivot into the internal network, disable logging, and establish persistent access through configuration changes or implanted backdoors.
Why patched devices are affected
The most important operational implication of FortiBleed is that being on a current firmware version provides no protection against it. The hash interception technique does not exploit a vulnerability in the firmware. It exploits the authentication exchange itself, which is exposed on any internet-facing SSL VPN endpoint regardless of patch level.
This distinguishes FortiBleed from the category of FortiGate vulnerabilities that have dominated security advisories over the past two years. CVE-based exploits, such as the CVE-2022-40684 authentication bypass or the series of SSL-VPN path traversal vulnerabilities patched between 2022 and 2024, required specific unpatched versions. FortiBleed has no such constraint. Any FortiGate with an internet-facing SSL VPN endpoint that uses a password-based administrator credential was in scope.
European exposure
The dataset covers 194 countries, which by definition includes the entire European Union and European Economic Area. European organisations operating FortiGate firewalls as their primary network perimeter or VPN gateway should treat their administrator credentials as potentially compromised until confirmed otherwise, regardless of patch status.
The affected organisation profile is broad. FortiGate appliances are common in mid-market and enterprise environments across Europe, frequently used as the primary perimeter firewall, branch VPN gateway, and network segmentation device in multi-site environments. The credential exposure therefore extends to the full network perimeter controlled by the affected device.
Arctic Wolf’s analysis of the active FortiBleed campaign noted that the data includes working credentials recovered from devices operated by energy sector companies, financial institutions, public sector bodies, and telecommunications providers across Europe.
Immediate steps for organisations
Rotate all FortiGate administrator credentials immediately. This applies regardless of whether your device appears in any disclosed dataset. The FortiBleed dataset represents what was collected and cracked. It does not represent the full scope of what was intercepted. If your device has been internet-facing with an SSL VPN endpoint active over the past 12 to 18 months, assume the original credentials were harvested.
Enforce multi-factor authentication on all FortiGate management interfaces. FortiGate supports TOTP-based MFA for administrator accounts. Any organisation that has not enabled this should treat it as an emergency remediation item. Credentials alone should not be sufficient to authenticate to a network device management interface.
Audit recent configuration changes. Any FortiGate device whose credentials may have been compromised should have its change history reviewed. Look for additions to administrator accounts, changes to firewall policy, new SSL-VPN users, modified routing entries, and any alterations to logging configuration. Disabled or redirected logs are a common indicator of post-compromise persistence.
Review your VPN exposure surface. If your organisation does not require SSL VPN access from all internet addresses, restrict access to specific IP ranges or implement a VPN pre-authentication gateway. Limiting who can reach the authentication endpoint reduces both the hash interception surface and the exposure to future credential-based attacks.
Check Fortinet’s PSIRT advisories and apply outstanding firmware patches. While FortiBleed is not firmware-dependent, unpatched FortiGate devices in scope for the FortiBleed dataset may also be vulnerable to CVE-based exploits that give attackers additional entry vectors. FortiGate firmware should be current regardless of this incident.
The wider pattern
FortiBleed fits a pattern that security teams have been tracking throughout 2025 and into 2026: high-value network infrastructure credentials are being harvested at industrial scale, often without exploiting any new vulnerability, and then used or sold to enable follow-on attacks including ransomware deployment, data exfiltration, and persistent network access.
The infrastructure behind FortiBleed, a 45-GPU cracking cluster running dedicated hash-cracking software against a dataset of 320,000-plus targets, represents a level of operational investment that produces proportionate returns. Verified admin credentials for enterprise network devices are worth considerably more in criminal markets than individual user credentials, because they provide access to network infrastructure rather than a single user’s data.
For European security teams, the practical takeaway is that credential hygiene on network infrastructure deserves the same priority as vulnerability patching. The organisations whose credentials appear in the FortiBleed dataset were not necessarily negligent. Many were running current firmware. They were exposed because internet-facing authentication endpoints will always be subject to credential harvesting, and because the cost of cracking weak or moderate-complexity passwords has fallen dramatically as GPU compute has become cheap and accessible.
If your organisation needs to assess whether your FortiGate environment is exposed, implement MFA on network infrastructure, audit for post-compromise indicators, or review your VPN architecture to reduce the internet-facing credential attack surface, contact Excello Digital. We help European organisations harden their network perimeter and respond to credential exposure incidents before they become breaches.