FortiBleed: 73,000 Fortinet VPN Credentials Exposed

Security researchers have uncovered one of the largest credential harvesting operations ever documented against enterprise network infrastructure. A Russian-speaking threat group compromised more than 73,000 Fortinet FortiGate SSL VPN devices across 194 countries, extracting plaintext administrative credentials that now pose an immediate risk to global organizations. The breach adds to a troubling pattern of network appliance compromises that have dominated security headlines this year.

The campaign, dubbed "FortiBleed" by researchers at Hudson Rock, represents a coordinated effort targeting roughly half of all internet-exposed Fortinet firewalls. Major corporations including Samsung, Oracle, Foxconn, Comcast, Siemens, Lenovo, PwC, and Accenture appear in the leaked dataset.

How Attackers Built a Credential Harvesting Machine

SOCRadar researchers discovered the campaign after stumbling onto an exposed operational server belonging to the threat group. That server revealed the attackers' tooling, victim database, and verified credential repository.

The operation's scale is staggering. According to the exposed infrastructure, attackers executed approximately 1.16 billion credential attempts against 320,777 FortiGate targets, plus an additional 2.1 billion brute-force attempts against 163,650 Microsoft SQL Server systems.

The attack exploited a weakness in how Fortinet stores authentication hashes. While Fortinet implemented PBKDF2 password protection in early 2025, devices only upgrade stored credentials when administrators log in after patching. Devices where admins hadn't logged in post-patch continued using the older SHA-256 with salt format—making them vulnerable to offline brute-forcing.

The attackers intercepted SSL VPN authentication hashes and cracked them using a 45-GPU cluster managed through Hashtopolis, an open-source distributed password recovery framework. This infrastructure enabled systematic credential recovery at industrial scale.

Self-Reinforcing Attack Loop

The campaign operates through a self-sustaining cycle. Hackers use automated scanning to locate exposed FortiGate management interfaces, then attempt authentication using known password lists. Successfully compromised devices become "listening posts" that monitor traffic and capture additional credentials flowing through the VPN. Those newly harvested passwords feed back into the scanner, expanding the attack surface with each compromise.

This pattern isn't new to Fortinet defenders. Earlier this year, we covered an AI-assisted attacker who compromised 600+ FortiGate firewalls using similar exposed management interfaces and weak credentials. The FortiBleed campaign operates at exponentially larger scale—affecting devices across government, telecommunications, healthcare, education, financial services, and critical infrastructure sectors.

NATO Contractor Breach Raises Stakes

The most severe documented incident involved a Turkish NATO defense contractor. According to SOCRadar's analysis, the threat actors successfully exfiltrated classified defense documents from the compromised organization.

Security researcher Kevin Beaumont independently validated the leaked data. "I have been able to confirm the authenticity of some of the admin logins and passwords—this looks like a real dump," Beaumont stated after analyzing samples from the dataset.

Geographic distribution shows the highest concentration of affected devices in India, the United States, Taiwan, Mexico, and Turkey. The IT services, telecommunications, and financial services sectors appear most heavily represented.

Immediate Actions Required

Organizations running FortiGate infrastructure should assume compromise if their management interfaces have been internet-exposed. Hudson Rock released a free lookup tool where organizations can check whether their domains appear in the compromised dataset.

The recommended response includes:

1. Immediately rotate all Fortinet VPN and administrative interface passwords
2. Enforce multi-factor authentication on all FortiGate management access
3. Review gateway logs for suspicious authentication patterns
4. Monitor for exposed employee credentials using threat intelligence services
5. Ensure management interfaces are not accessible from the public internet

This breach arrives amid ongoing Fortinet security challenges. CISA recently ordered federal agencies to patch FortiClient EMS within three days after adding CVE-2026-35616 to its Known Exploited Vulnerabilities catalog. The persistent targeting of Fortinet products suggests organizations should prioritize network perimeter security hygiene—particularly for devices that have historically been frequent attack vectors for credential theft.

Fortinet has not responded to requests for comment regarding the FortiBleed campaign. Organizations seeking to verify their exposure can access Hudson Rock's lookup tool or contact SOCRadar for detailed threat intelligence on the compromised dataset.