Back to AttackMetricX
Breaking - June 18, 2026

FortiBleed: When 73,000 Firewalls Become Open Doors

AttackMetricX Threat Intelligence Attack Surface Management 8 min read
73,932
Firewall URLs exposed
194
Countries affected
1.16B
Credential attempts logged

The Breach That Should Not Have Been Possible

Yesterday, the cybersecurity world woke up to one of the largest credential exposure events ever recorded against enterprise network infrastructure. A dataset dubbed "FortiBleed" surfaced containing verified login credentials and configuration data for 73,932 Fortinet firewall and FortiGate VPN endpoints across 194 countries, roughly half of every internet-accessible FortiGate device on the planet.

The list reads like an index of the Fortune Global 500: Samsung, Oracle, Chevron, AT&T, Foxconn, Siemens, Comcast, Mercedes-Benz, Toyota, PwC, Accenture, and hundreds of government agencies.

These credentials were verified, tested, and confirmed working by the attackers themselves, before the data ever surfaced publicly.

What Actually Happened

Security researcher Volodymyr "Bob" Diachenko discovered an exposed operational server belonging to what researchers believe is a Russian-speaking, multi-operator threat group. The server did not just contain stolen credentials, it revealed the group's full attack infrastructure: automation scripts, tooling, victim databases, and a log of approximately 1.16 billion credential attempts against 320,000+ FortiGate targets.

The attack methodology was systematic and industrial in scale:

01
Harvest

Compiled credentials from prior Fortinet leaks (including the January 2025 "Belsen Group" incident) and infostealer logs circulating on dark web markets.

02
Crack

SSL VPN authentication hashes were intercepted and cracked using a dedicated 45-GPU cluster running Hashtopolis, turning even complex passwords into plaintext.

03
Validate

Automated scanners tested every credential against live devices around the clock, building a verified-working database of confirmed access points.

04
Persist

Once inside a device, the group used it as a passive listening post, capturing credentials flowing through the VPN to feed back into the scanner. A self-sustaining credential harvesting loop.

Password complexity offered zero protection. A 20-character complex string is just as vulnerable as "admin123" when the attacker is not guessing, they are replaying a stolen plaintext credential.

FortiBleed Is Not a Fortinet Vulnerability, It Is a Detection Failure

It is important to be precise here. FortiBleed is not a zero-day. Fortinet did not ship a backdoor. This campaign succeeded almost entirely because organizations:

  • Never rotated credentials after prior Fortinet incidents
  • Left management interfaces directly exposed to the internet
  • Had no visibility into whether their credentials had appeared in dark web markets
  • Had no way to detect that their FortiGate device was being used as a passive surveillance node

The attackers did not need to break anything. They walked in through unlocked doors that organizations did not know were unlocked. This is precisely the kind of threat that traditional vulnerability scanning and perimeter monitoring will never catch.

The Exposure Gap: 12 Months of Compound Failure

FortiBleed did not happen overnight. It is the cumulative payoff of a pattern building for over a year:

November 2025

Active exploitation of FortiWeb CVE-2025-64446 and related appliances begins across enterprise targets.

December 2025

Compromised FortiGate devices emerge as a recurring entry point in attacks on healthcare and critical infrastructure.

February 2026

CVE-2026-24858, a CVSS 9.4 FortiCloud SSO bypass, the fourth authentication-bypass flaw in eight weeks, exposes systemic weakness in Fortinet auth architecture.

February 2026

A single threat actor uses off-the-shelf AI tooling to breach 600+ FortiGate firewalls across 55 countries in five weeks.

May 2026

FortiClient EMS CVE-2026-35616 weaponizes the patch cycle itself, delivering the EKZ infostealer disguised as a Fortinet firmware update.

June 17, 2026 - Today

FortiBleed: 73,932 firewalls credentials surface in a single dataset, the cumulative payoff of every leaked credential the prior incidents helped harvest.

The question for security teams is not "are we vulnerable to FortiBleed?" The question is: "How many of our credentials are already on a list we cannot see?"

AttackMetricX

What AttackMetricX Sees That You Don't

This is where traditional security tooling falls short, and where AttackMetricX was built to operate. Our platform continuously monitors your external exposure across three dimensions that directly map to how FortiBleed-style campaigns work.

01Dark Web Breach Intelligence

The FortiBleed campaign ran on credentials that had already leaked. Most organizations had no idea their credentials were circulating. AttackMetricX continuously scans breach databases, credential markets, and threat actor forums for your organization's domains, emails, and credentials. When your data surfaces, you find out before the attacker validates it.

02Attack Surface Discovery & Exposure Monitoring

The FortiBleed dataset was heavily weighted toward devices with management interfaces directly exposed to the internet. AttackMetricX continuously enumerates your external attack surface: exposed management panels, VPN endpoints, open ports, forgotten subdomains, and services that should never be internet-facing.

03Threat Exposure Correlation

FortiBleed is the intersection of leaked credentials, exposed endpoints, and absent detection. AttackMetricX correlates threat intelligence across all three layers, giving security teams a prioritized view of which exposures are actively being targeted, not just which CVEs exist on paper.

"Do any of our assets match the fingerprint of targeted devices? Are any of our credentials in the leaked dataset? Do we have FortiGate management interfaces exposed to the internet?" These questions should take minutes. Without continuous ASM, they take days.

Immediate Actions for Organizations Running Fortinet

Whether or not you appear in the FortiBleed dataset, treat the following as urgent:

  • Rotate all FortiGate admin and VPN credentials immediately, especially any unchanged since 2022 or 2024.
  • Enable MFA on all remote access and administrative accounts. Verified credentials are useless against a second factor.
  • Remove management interfaces from the public internet. Restrict admin panel access to trusted IP ranges only.
  • Audit VPN and firewall logs for unusual access times, unknown source IPs, or dormant accounts becoming active.
  • Search the FortiBleed dataset using public lookup portals that have published verified domains.
  • Verify your credentials are not in circulation. This is where AttackMetricX dark web monitoring becomes essential.

The Lesson FortiBleed Teaches

FortiBleed is a credential reuse campaign dressed up as an infrastructure breach. The attackers did not need a zero-day. They needed patience, automation, and the certainty that most organizations never clean up after previous incidents.

The security industry has spent years focused on vulnerability management, finding and patching CVEs. FortiBleed is a reminder that threat exposure management is a different discipline entirely. It is not about what is broken in your software. It is about what is already known about your organization on the other side of the internet.

AttackMetricX exists to answer that question continuously, so when the next FortiBleed surfaces, your team is not scrambling to check lists. You already know whether you are on them.
Live Exposure Check

Check Your Organization's Exposure

See what attackers can already see about your infrastructure, before they act on it.

FortiBleedFortinetAttack Surface ManagementDark Web MonitoringCredential ExposureVPN SecurityThreat Intelligence