FortiBleed: Credential-Harvesting Campaign Targets FortiGate Devices
By Mia Skibinski
FortiBleed is a global credential compromise campaign targeting internet-facing Fortinet firewalls and SSL VPN gateways. The attack was disclosed in mid-June after researchers identified an inadvertently exposed attacker server containing a verified database of valid administrator and VPN credentials. As of 2026-06-19, there are over 80,000 identified devices across 194 different countries, with security firm SOCRadar confirming 86,644 working credentials. The campaign has been active since at least February 2026 and has been attributed to a financially motivated, Russian-speaking initial access broker (IAB), with the most recent analysis by SOCRadar linking the threat actor to the Lynx/INC ransomware group pending further analysis (SOCRadar, 2026). Additionally, SOCRadar explains that the campaign involves activity such as collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying continuous sniffers on compromised FortiGate firewalls that capture credentials. There also appears to be a heavy focus on Small and Medium Businesses with fewer than 200 employees across multiple regions, with a notable emphasis on India and the United States (SOCRadar, 2026). Presence in the dataset should be treated as a prompt to investigate rather than proof of internal compromise.
The attack runs on a fully automated, self-sustaining cycle. Initially, brute-forcing techniques applying a list of leaked Fortinet passwords are used against exposed devices. Once access is obtained, a custom Golang-based credential-harvesting tool dubbed FortigateSniffer is deployed to passively capture credentials from traffic passing through the compromised device. The new credentials are then cracked and reused for additional lateral movement into internal networks. Customers with impacted FortiGate appliances should immediately reset all admin and VPN credentials, enforce MFA, upgrade to the latest supported FortiOS version, and restrict management access from the public internet, in line with guidance issued by Fortinet (Fortinet, 2026).
Vulnerability Type
FortiBleed is not associated with a new public CVE. Based on vendor reporting and threat intelligence analysis, the campaign exploits weak authentication practices rather than a software flaw, with threat actors reusing credentials from previous incidents and employing brute-force techniques against Fortinet devices. Affected devices had SSL VPN and management interfaces exposed to the internet, weak password hygiene, and a lack of MFA. It is important to note, however, that Fortinet has linked the campaign to two previous advisories (FG-IR-26-060, FG-IR-25-647), citing the reuse of credentials that were leaked during these incidents.
Observations based on public reporting:
- Initial access used reused leaked credentials, applied through brute-force and credential-stuffing
- Stored password hashes from device configs were exported and cracked offline to produce new working credentials
- Telcos and MSPs were specifically targeted as a path into downstream networks, with evidence of internal Active Directory access
Fortinet emphasizes that the activity is not a new vulnerability and is not related to any recent incident or advisory (Fortinet, 2026). Instead, threat actors exploit weak authentication practices on Fortinet devices. Accordingly, FortiBleed is classified as a credential reuse campaign with no evidence of a zero-day exploitation event (SOCRadar, 2026).
The threat actor behind FortiBleed is assessed as a financially motivated, Russian-speaking IAB. This intent is evident from the actor's unintentionally exposed server, which held a list of remote-access logins paired with working credentials prepared for sale. Brokers of this type often sell access to other criminal actors rather than exploit it themselves, though in this case the operation appears tied directly to ransomware deployment. A recent update from SOCRadar has attributed the threat actor to the Lynx/INC ransomware group, based on an operator found accessing both groups' ransomware negotiation panels from FortiBleed infrastructure and on victim overlap with INC's leak site, with a full technical whitepaper pending. Resale activity that may be linked to the campaign has already been observed, though the credibility of the individual sellers varies.
Recorded Future’s Insikt Group identified at least two actors offering data allegedly tied to FortiBleed and assessed only one as likely credible. The credible seller, operating under the moniker "SantaAd," is an established member of a top-tier criminal forum and advertised an auction of FortiGate VPN data in mid-June 2026. However, it remains unconfirmed whether this dataset is the same one involved in FortiBleed due to the lack of a sample accompanying the listing. The second, lower-credibility actor adopted the ShinyHunters name and circulated the data on Telegram in what researchers assess to be an extortion attempt (Recorded Future, 2026). The significance of this resale model is that compromise does not stay contained to the original attacker. Once credentials are cracked and catalogued for sale, they can pass to buyers who independently operate from unrelated infrastructure. For affected organizations, these downstream effects indicate that exposure persists well beyond the lifespan of the campaign. Presence in the dataset alone warrants treating perimeter credentials as compromised regardless of remediation elsewhere.
Impacted Versions
Internet-facing FortiGate firewalls and SSL VPN gateways across all sectors and regions (not specific to a single firmware version)
- Heightened risk: devices running FortiOS prior to versions 7.2.11, 7.4.8, and 7.6.1 (PBKDF2-based password hashing upgrade) or devices upgraded without administrator re-authentication
- Legacy SHA-256-based storage mechanism for admin credentials remains in place until update and admin re-authentication; attacker can crack legacy SHA-256 hashes from exported configs
As of Fortinet's June 19, 2026 advisory, affected devices generally had SSL VPN and/or administrative interfaces exposed to the internet, weak password hygiene, and no MFA.
Mitigation Steps
Recommendations from Fortinet, CISA, and SOCRadar include:
- Terminate sessions and reset credentials
- Terminate all active SSL VPN and administrative sessions
- Reset all Fortinet VPN and administrative passwords (especially on internet-facing systems)
- Enforce strong password policies on reset
- Implement Multi-Factor Authentication (MFA)
- Require MFA (phishing-resistant if possible) on all administrative and VPN accounts
- Ensure MFA is enforced on all external gateways and administrative interfaces
- Ensure secure credential storage
- Upgrade to latest Fortinet versions of 7.4, 7.6, or 8.0 (supports PBKDF2 hashing)
- Confirm usage of PBKDF2 to store all administrator credentials
- Remove older legacy password settings (Fortinet, 2026)
- Review logs for suspicious activity
- Unexpected administrator access from an unknown IP
- Unusual access times
- Unknown locations
- Lateral movement
- Suspicious/inactive account activity
- Reduce attack surface and lock down management access
- Ensure administration of firewall is inaccessible from public internet
- Restrict Fortinet management interfaces to trusted internal networks
- Remove or disable unauthorized or unnecessary accounts
- Validate configurations
- Review firewall, VPN users, and other configuration for unauthorized changes
Note: although FortiOS 7.2.11 introduced PBKDF2, Fortinet's guidance directs upgrades to 7.4, 7.6, or 8.0.
Exploit Process
The FortiBleed attack chain is a highly automated, self-sustaining playbook targeting internet-facing FortiGate firewalls and SSL VPN gateways. The campaign operates through a five-stage attack chain, which includes host reconnaissance, initial access through brute-forcing techniques, sniffer deployment on compromised devices, exploitation of internal services using cracked credentials, and exfiltration of sensitive data and session cookies to maintain authenticated access to compromised environments. While FortiGate devices are the primary focus, the operation runs several parallel tracks against other exposed services, including MSSQL servers and Synology devices, with each track following the same pattern of pairing targets with credentials, fingerprinting the protocol, and validating access at scale. Activity details below are drawn from public reporting by SOCRadar.
Phase 1 - Reconnaissance
- Initial Credential Sourcing: Campaign maintains two distinct credential sources with different purposes
- creds.txt : plaintext file containing combined data from previous leaks and purchased datasets used as input for credential stuffing across all tracks
- base0.txt-base15.txt : 16 plaintext dictionaries containing curated FortiGate administrative account naming conventions used exclusively for SSH brute-force activity
- Scanning and Device Identification: Campaign uses multiple active scanners with passive enrichment utilities for reconnaissance
- Masscan: publicly available scanner used to identify open ports
- Shodan_Recon: queries Shodan’s (search engine for internet-connected devices) database to retrieve hostnames, open ports, SSL certificate metadata, and service categories for each host
- FortiProbe-fast: multithreaded probe used to filter raw target list into three categories (confirmed FortiGate, non-FortiGate, dead/unresponsive)
- RDNS-Scan: large-scale PTR resolution across IP list to generate plaintext files containing results, including a list of hosts that resolve to corporate naming conventions
- GeoSplit: takes confirmed FortiGate list and partitions by country
- Target Ranking: All previously collected information converges to rank targets according to economic value
- match_corps.py : matches confirmed and geolocated FortiGate IPs to a list of organizations sorted by revenue
- merge_revenue.py : combines corporate data from multiple sources and ranks it by revenue
- build_report.py : compiles final report of domains that have not yet been compromised ordered by revenue
Phase 2 - Initial Access
- Credential Pairing: Correlates confirmed hosts and credentials into a combos file
- Gen_Rotator : generates host-to-credential combos file scan.txtin output format IP:PORT:login:pass
- Parallel Brute-Forcing: Four protocol-specific tracks use different corresponding checkers for authentication
- forticheck : used against FortiGate web interfaces for authentication to administrative panel and SSL VPN portal
- mpbrute2.bin : targets FortiGate administrative SSH access through credential stuffing and dictionary attacks using the 16 wordlists identified
- syno.bin : targets Synology DiskStation Manager (DSM) web interface on port 5001
- MSSQL_Checker : targets native SQL Server TDS protocol
Phase 3 - Sniffer Harvest
- FortigateSniffer Deployment: Converts each compromised FortiGate into a passive listening post using gathered SSH credentials, silently capturing authentication traffic traversing the internal network
- FortigateSniffer: Golang-based credential-harvesting tool that abuses the FortiOS built-in diagnostic command diagnose sniffer packet to capture authenticated traffic from 24 network protocols
- Capture Process: 6-step functionality to deploy FortigateSniffer and extract credentials
- Loads a list containing the FortiGate SSH credentials
- Logs in via SSH and injects FortigateSniffer
- Parses raw SSH terminal output to extract timestamps and packet bytes
- Python tool PCAP Deep Analysis Toolkit that parses credentials, hashes, and tickets
- Writes report files per device with CyberStrike (open-source AI powered autonomous penetration testing agent) potentially assisting in parts of the workflow
- Repeats after the next web interface trigger
Phase 4 - Exploitation
- Credential Cracking: Converts collected hashed artifacts into reusable cleartext credentials
- Hashcat: publicly available GPU-based password-cracking utility that serves as a core repeatable component of the operational pipeline
- Hashtopolis: open-source client-server platform that distributes and manages Hashcat workloads across multiple machines
- bot.py : Telegram-based interface that coordinates and dispatches Hashcat jobs across GPU clusters
- Lateral Movement: Multiple Python scripts used to support different stages of lateral movement within compromised networks
- SMB validation tools authenticate and check privilege
- Kerberos/active directory validation tools iterate through username/password pairs against Domain Controllers
- Credential cleanup tools remove noise generated by automated brute-force activity
- AD enumeration tools run LDAP queries to identify privilege-escalation vectors
Phase 5 - Exfiltration
- Data Theft: Recursive enumeration on SMB shares to upload files to a remote SSH server without writing to local disk
- backup_dfs.py/backup_dfs2.py : automated exfiltration and synchronization tools that pulls files from a target SMB server and push them to the remote SSH server
- Session Hijacking: Uses session cookies and tokens captured by the sniffer to gain immediate authenticated access to internal applications without additional exploitation
- curl_replay.sh : host-specific scripts that replay HTTP session cookies and tokens to transform passive collection directly into active access
- Persistent Access Tooling: Provides repeatable access into the compromised environment without additional action
- Agent: compiled Go binary that turns each device into a remote command-execution point
- SSHlogger (.NET) + ssh-worker.exe: components that provide an interactive multi-session remote shell usable with any valid SSH credential obtained anywhere in the chain
This structured, multi-phase operation combines large-scale automation with targeted, hands-on-keyboard activity. The campaign is well organized but is also identified as not fully mature. SOCRadar's later analysis characterizes the operation as roughly 20 members with defined roles, with sniffers active on approximately 19,000 devices, falling to around 11,000 after impacted organizations were notified (SOCRadar Update, 2026). The actors continue to rely on manual steps and multiple discrete tools to structure and cleanse data, rather than a single unified workflow. These characteristics indicate an active threat that continues to evolve.
Timeline
| Date | Event |
|---|---|
2026-02-28 | Attackers scan internet for exposed remote-access systems |
| 2026-05-19 → 2026-05-21 | FortigateSniffer capture cycles deployed to initiate first wave of 20-min harvest intervals |
| 2026-05-31 → 2026-06-15 | New sniffer deployment wave begins; 659 harvest cycles execute across all compromised FortiGates; 110M+ credentials harvested |
| 2026-06-13 | Researcher Volodymyr Diachenko publicly reports dataset on LinkedIn |
| 2026-06-15 | Activity peak; stolen credentials cracked; backup data stolen from a NATO-aligned defense contractor |
| 2026-06-16 | SOCRadar publishes investigation and names campaign “FortiBleed” |
| 2026-06-18 | CISA publishes alert urging customers to reset credentials and enable MFA |
| 2026-06-19 | Fortinet confirms activity is credential reuse and brute-forcing |
| 2026-06-22 | Follow-up reporting details broader scale including 430,000+ targeted firewalls |
| 2026-06-29 | SOCRadar attributes FortiBleed to Lynx/INC ransomware group (full whitepaper pending) |
| Now | Campaign remains active with attacker infrastructure still operational at the time of reporting |
TTPs & IOCs
The following TTPs and IOCs are drawn from SOCRadar’s analysis of the FortiBleed attack infrastructure. The indicators below cover the campaign’s core infrastructure and primary tooling.
MITRE ATT&CK Techniques
| Tactic | Technique | ID | FortiBleed Usage |
|---|---|---|---|
| Reconnaissance | Active Scanning (Scanning IP Blocks) Search Open Technical Databases | T1595.001 T1596.005 | Scans the internet to find open RDP, SSH, and MSSQL services; Uses Shodan to identify and profile FortiGate devices |
| Initial Access | Exploit Public-Facing Application Valid Accounts (Default Accounts) External Remote Services | T1190 T1078.001 T1133 | Breaks into internet-facing FortiGate devices through the SSH and SSL-VPN login pages using weak/unchanged default credentials; Uses VPN access to reach defense contractor’s network |
| Execution | Command and Scripting (Unix Shell) | T1059.004 | Runs built-in FortiOS command over SSH to launch network traffic capture |
| Credential Access | Brute Force (Guessing, Cracking, Spraying, Credential Stuffing) | T1110.001-.004 | Guesses login credentials against FortiGate, MSSQL, and Synology systems; Cracks stolen password hashes; Reuses known credentials against login pages and domain controllers |
| Credential Access | Network Sniffing Adversary-in-the-Middle | T1040 T1557 | Uses compromised FortiGate to capture login traffic passing through it across multiple services |
| Credential Access | Steal Kerberos Tickets (Kerberoasting, AS-REP Roasting) | T1558.003-.004 | Captures Kerberos authentication data; Cracks credentials offline |
| Credential Access | Steal Web Session Cookie | T1539 | Reuses stolen session cookies to log into internal web applications without passwords |
| Discovery | Account Discovery (Domain Account) Network Service Discovery | T1087.002 T1046 | Maps out internal user accounts, computers, and email addresses; Scans for open RDP and MSSQL services |
| Collection | Data from Network Shared Drive | T1039 | Copies files in bulk from internal network file shares |
| Command and Control | App Layer Protocol (Web) | T1071.001 | Controls operation through web-based dashboard; Sends results back to central server |
IOCs
Network Indicators
| Subnet | Role |
|---|---|
| 85.11.187.0/24 (AS211486) | Primary C2 layer, anchored by aggregator node 85.11.187.8, hosting sniffers and scanners |
| 193.8.187.0/24 (AS206378) | Operational backbone for the pentest lab (193.8.187.2) and credential validation (193.8.187.42) |
| 194.113.39.0/24 (AS206378) | Dedicated sniffer capacity |
| 77.91.122.0/24 (AS201814, MEVSPACE) | Dedicated scanning and sniffer layer for ASN diversity |
File Indicators
| File | Description | SHA-256 |
|---|---|---|
fg_sniffer (multiple builds) | FortigateSniffer: deployed via SSH, abuses diagnose sniffer packet command to capture traffic across 24 protocols. Linux, Windows, and several iterative builds (v4, v5, "new") were observed | Linux: 4d0b62d3162d4be391e3ba1e191dad28e5e5d5b161cfdef60eeb4361a92d8413 Windows: 80d83eb01f28c87a61b51f1f83805e63a791905f019bd3b87f10a10f66efab1e (additional builds in SOCRadar report) |
forticheck | FortiGate credential checker: tests admin panel and SSL VPN portal | a8b09fd4f7ff2f298b45ca602992f44b3c2ac3746bcdb182c59ab2a20c690954 |
mpbrute2.bin | SSH credential stuffing/dictionary attack against FortiGate admin accounts using base0-base15 wordlists | 2c98c86e6bd6f46cbd6c89d855541b9da91515b1bb986641a77e31c5c6aa2abb |
gen_rotator | Combines hosts.txt and creds.txt into scan.txt combo lists; offline utility with no networking capability | b76d83918473be1550db8fe7bf60479841599bc5b0c30e2d1184432b99c7ff02 |
FortiProbe-fast | Multithreaded FortiGate probe: filters raw list into confirmed, non-FortiGate, and dead categories | fa36ad03e92e0399ec4eea7ba37e4a35fd7dc4391558f8f6e9899bce93095f5d |
Agent | Remote management/orchestration binary: allows management of attack tools across fleet via single HTTP call | a474e04340a6425914b110bcd55da50a5f3f618f8b36cb4da4bfa6bf1d3804b4 |
SOCRadar's report documents additional indicators, including a large proxy-rotation layer of shared residential and ISP addresses that should be treated as low-confidence, as well as secondary tools and iterative builds of the sniffer. The full lists are available in the report, and all hash values should be verified against the source before use.
Centripetal’s Perspective
Centripetal's CleanINTERNET® service helps organizations defend against FortiBleed, an active credential-harvesting campaign that targets internet-facing Fortinet FortiGate firewalls and SSL VPN gateways. Once attackers gain access to a device, they use it to steal credentials, move through internal networks, and exfiltrate sensitive data. CleanINTERNET uses billions of threat indicators from global threat intelligence feeds combined with human analysis to detect and block traffic to and from known-malicious infrastructure. This includes the operational servers, scanning systems, and sniffer nodes tied to this campaign, which can be blocked before they ever reach an organization's network. As FortiBleed depends on attackers finding and repeatedly probing exposed management and VPN interfaces, reducing that exposure is an important part of staying protected. By limiting the external attack surface and cutting off communication with hostile infrastructure, CleanINTERNET helps disrupt the attack early in its lifecycle before credentials can be harvested and reused.
It is important to recognize, however, that network-level blocking reduces exposure without fully closing the risk. The actor behind FortiBleed is a financially motivated IAB, indicating that credentials harvested earlier in the campaign may already have been sold or passed to other threat actors. Blocking this actor's known scanning, sniffer, and C2 nodes disrupts their specific collection and reuse cycle, but it cannot invalidate credentials that have already been sold. As a result, any organization with exposed FortiGate devices should assume prior compromise. Adhering to published recommendations such as rotating all administrative and VPN credentials, enforcing phishing-resistant MFA, and confirming PBKDF2-based credential storage remain essential even where network coverage is in place.
A layered approach is therefore the most effective defense against FortiBleed. CleanINTERNET prevents communication with hostile infrastructure and reduces the external attack surface to disrupt the campaign early in its lifecycle, while credential rotation, MFA enforcement, and management-interface lockdown close any residual risk. Defending at both the network and credential layers allows organizations to take a proactive approach to defense and maintain normal operations as the campaign continues to evolve.
Resources
- Fortinet - Analysis of Reported Credential Compromise of FortiGate Devices
- CISA - CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure
- SOCRadar - FortiBleed: SOCRadar’s Investigation into 86,644 Compromised Fortinet Firewalls
- SOCRadar Report - Dismantling FortiBleed
- SOCRadar Update - Is FortiBleed Connected Linked to INC and Lynx Ransomware? All You Need to Know
- The Hacker News - CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices
- The Hacker News - FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation
- CloudSEK - Inside the FortiBleed Open Directory: A Technical Analysis of What the Attacker Left Behind
- Recorded Future - FortiBleed Campaign Exposes Credentials for 73,932 FortiGate Systems
- Kevin Beaumont - An update on FortiBleed - what’s happening with victim orgs
Know what’s coming. Stop what’s next.
Sign up for our free threat alert bulletin service here.
The Cybercrime Barrier Your Organization Deserves
Sign up for a custom demonstration from our security team of how we bring together the best minds and most complete collection of threat intelligence to provide you with a shocking level of relief.