Security researchers have identified an active, large-scale credential compromise campaign affecting Fortinet FortiGate firewalls, which has been dubbed FortiBleed.
According to Hudson Rock, the dataset contains 73,932 unique firewall URLs across 194 countries and impacts 21,632 unique domains. The number of compromised devices stands at 86,644 as of June 19, 2026, according to data from SOCRadar. And the group behind it is still adding new victims.
The dataset was surfaced on June 17, 2026 by security researcher Volodymyr “Bob” Diachenko and verified by Hudson Rock, SOCRadar, Arctic Wolf, and Kevin Beaumont. Among the organizations Hudson Rock says appear in the dataset are Foxconn, Samsung, Comcast, Siemens, Lenovo, PwC, Accenture, Oracle, and numerous government agencies and critical infrastructure operators.
How the Group Built Its Credential Database
The group sourced passwords from prior Fortinet breach dumps and infostealer malware logs, software that silently extracts credentials saved in browsers and VPN clients. They then tested those credentials automatically against every available FortiGate device and recorded every successful login. Approximately 1.16 billion authentication attempts were launched against more than 320,000 FortiGate targets.
The campaign exploits a specific weakness in FortiOS credential management. When devices are upgraded from older versions, administrator passwords remain stored as weak SHA-256 hashes until the administrator manually logs in after the upgrade. Attackers leveraged a 45-GPU offline cracking infrastructure to systematically break these hashes at scale, yielding validated working credentials for tens of thousands of devices.
Once inside a compromised firewall, the attackers did not stop at extracting the configuration file. They used packet sniffing to intercept network traffic, allowing them to harvest NTLM and Kerberos hashes for users across the entire environment, which means any Active Directory account could potentially be compromised. This then turned each compromised firewall into a collection tool for further attacks deeper inside the victim’s network.
Who Was Behind It and How Far It Reached
According to both Hudson Rock and SOCRadar, the group behind the hacking campaign appears to be Russian-speaking. SOCRadar’s research identified operational infrastructure belonging to the threat group, including databases of validated credentials organized by country, sector, and organization revenue.
Diachenko confirmed that attackers gained full network access to organizations across Japan, Taiwan, Vietnam, Iraq, and Turkey. In one of the most alarming disclosures, classified military documents were reportedly exfiltrated from a Turkish NATO defense contractor.
The company also released statistics showing that the highest number of affected devices was in India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates. The most common sectors for the listed companies are telecommunications, IT services, financial services, government organizations, healthcare providers, educational institutions, and manufacturing.
What Fortinet Said and What Researchers Counter
In a blog post shared on June 19, 2026, Fortinet said the FortiBleed campaign likely involves the threat actors reusing credentials from previous incidents, referenced externally as CVE-2026-24858, CVE-2025-59718, and CVE-2025-59719, along with brute-force techniques against devices with weak password hygiene and no multi-factor authentication.
However, independent researchers pushed back on that framing. Cybersecurity researcher Kevin Beaumont independently reviewed portions of the exposed data and told BleepingComputer that some of the credentials are authentic. He noted that many affected devices were running relatively recent FortiOS versions, which pointed to an active and ongoing operation rather than a recycling of old data.
CISA Steps In
CISA issued an alert noting that malicious cyber actors had targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials. The agency urged impacted Fortinet customers with FortiGate appliances and associated SSL VPN gateways to immediately terminate all active sessions, reset credentials, and reset all Fortinet VPN and administrative passwords, especially on internet-facing systems.
Researchers estimate that approximately 50% of all internet-reachable FortiGate devices may be affected across 194 countries, making this one of the most significant Fortinet security incidents to date. The dataset is now circulating in criminal underground communities, meaning threat actors who had no part in building it may now be working through it for their own campaigns.
What Holding These Credentials Actually Means
A Fortinet FortiGate firewall sits at the edge of a company’s network and decides what traffic comes in and goes out, as well as who can access the internal network remotely through a VPN. When a criminal group holds verified admin credentials for that device, they have the ability to log in as an administrator, change security rules, create new backdoor accounts that continue to exist even after passwords are reset, disable logging so their activity leaves no trace, and intercept all traffic moving through the firewall.
Beyond the firewall itself, the position gives attackers a foothold to move deeper. Because the compromised device sits on the network perimeter, it sees all internal traffic coming in and out of the organization, including authentication traffic from employees logging into internal systems. And so, for the named companies, this means the risk is not limited to the firewall, as any internal system reachable from the network the firewall protects is potentially vulnerable to cyberattacks.
