By ByteBot
An active credential campaign called FortiBleed has compromised working administrator and SSL VPN credentials for roughly 73,000 to 86,000 internet-facing Fortinet FortiGate firewalls across 194 countries. The dataset — publicly disclosed on June 13 and confirmed as still active on June 19, 2026 — covers more than 21,600 organizations including government agencies, banks, telecoms, and critical infrastructure providers. If your organization runs a Fortinet device with an internet-exposed management interface or SSL VPN, treat your credentials as compromised until you verify otherwise.
What FortiBleed Actually Is
FortiBleed is not a single new CVE. It is a years-long campaign that exploited a chain of Fortinet vulnerabilities to extract device configuration files — and then cracked the administrator password hashes stored inside those files at scale using a 45-GPU offline cracking infrastructure.
The vulnerabilities involved include CVE-2022-40684 (CVSS 9.8), an admin-level authentication bypass patched in October 2022; CVE-2024-55591 (CVSS 9.6), a Node.js websocket auth bypass zero-day exploited since November 2024; and CVE-2025-59718 (CVSS 9.8), a SAML signature verification flaw in FortiCloud SSO that CISA added to its Known Exploited Vulnerabilities catalog in December 2025. Each gave attackers a route to extract configuration data without a valid password.
The configuration files pulled from those exploits contained administrator passwords stored as salted SHA-256 hashes. On older FortiOS builds, SHA-256 was the standard. Fortinet introduced PBKDF2-based hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1 — but hashes do not upgrade automatically. They remain as SHA-256 until each administrator manually logs in after upgrading. That gap is where FortiBleed found its footing.
Why Patches Were Not Enough
Many affected organizations had already applied Fortinet’s patches for CVE-2022-40684 and later vulnerabilities. The problem is that patching the software vulnerability does not rotate credentials that were already extracted and cracked. Attackers sitting on a database of cracked passwords do not care that the extraction vector is now closed — the passwords still work.
Security researchers from Arctic Wolf confirmed on June 19 that the FortiBleed campaign is still active. Credentials from the leaked dataset are being used for ongoing access attempts. Approximately half of all internet-reachable FortiGate devices appear in the dataset. At that scale, assuming you are not in it is the wrong starting assumption.
What to Do Right Now
The remediation sequence matters here. Patch first, then credential work — but the credential work is the part most organizations skip.
- Check your exposure. SOCRadar launched a free FortiBleed Exposure Checker at socradar.io/free-tools/fortibleed. Enter your domain or public IP. A result in the dataset does not confirm an active breach, but it confirms you need to act immediately.
- Upgrade FortiOS. Target FortiOS 7.2.11, 7.4.8, or 7.6.1 as your minimum — these versions replaced SHA-256 with PBKDF2 for credential storage. If you are already on one of these versions but did not force admin logins after upgrading, your hashes may still be SHA-256.
- Force a post-upgrade login for every administrator. After upgrading, require every admin account to authenticate. This triggers re-hashing from SHA-256 to PBKDF2. Without this step, the upgrade offers only partial protection.
- Rotate all credentials immediately. Change them — do not just re-hash old passwords. Administrator accounts, local users, SSL VPN credentials, and FortiCloud credentials if CVE-2025-59718 was applicable (FortiCloud SSO auto-enables when a device is registered to FortiCare via the GUI).
- Enforce MFA on all admin and VPN access. A cracked password cannot get an attacker in if MFA is required. FortiBleed is a good reason to verify MFA is actually enforced, not just written into a policy.
How to Detect Compromise
Review SSL VPN and IPsec authentication logs for at least the past 90 days. Look for logins from unexpected geographies, unusual IP ranges, or access outside business hours. Check for administrator accounts not created through your change management process — the names forticloud-sync and forticloud-tech have appeared in compromised devices. Audit CLI history for sensitive commands like show full-configuration or configuration backup exports outside maintenance windows. Terminate all active sessions after cleanup, and require re-authentication before restoring access.
The Real Lesson
FortiBleed is a credential hygiene failure at scale, not just another CVE story. The software vulnerabilities that enabled config extraction were patched — some of them years ago. What was never addressed was the assumption that patching software is sufficient. It is not. Extracted credentials age gracefully. A cracked SHA-256 password from 2023 still opens a 2026 firewall if no one rotated it.
For the complete Huntress FortiBleed remediation guide for MSPs and IT teams and SecurityWeek’s reporting on the full dataset scope, both are worth reading before you close this tab.
