FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers
Campaign
Summary
Hide ▲
Show ▼
A new FortiGate abuse campaign is using FortiGate NGFW appliances as entry points to breach victim networks, creating immediate risk for healthcare, government, and managed service provider environments. Attackers are exploiting recently disclosed vulnerabilities or weak credentials to steal configuration files, service-account credentials, and network topology data. The activity includes repeated access, credential extraction, and follow-on intrusion steps that can deepen compromise beyond the perimeter device.
Related Happenings
FortiBleed multi-vendor brute-force wave
Exploitation Wave
H score75
First: 23.06.2026 21:20
Last: 23.06.2026 21:20
Sources 1
About this happening:
A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortiBleed multi-vendor brute-force wave
Exploitation WaveAbout this happening: A **multi-vendor brute-force wave** tied to **FortiBleed** is hitting **Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL** targets, expanding the risk from one firewall-focus...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
**FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityAbout this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...
Initial access broker (IAB) campaign expands across multiple victims
Campaign
H score89
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
About this happening:
The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Initial access broker (IAB) campaign expands across multiple victims
CampaignAbout this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...
Latest development: 23.06.2026 13:30
On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.
FortiGate firewall and SSL VPN customers data exposed after Fortinet breach
Data Leak
H score93
First: 22.06.2026 11:30
Last: 22.06.2026 11:30
Sources 1
About this happening:
The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...
FortiGate firewall and SSL VPN customers data exposed after Fortinet breach
Data LeakAbout this happening: The **FortiBleed** credential leak exposed **around 75,000 stolen logins** from **FortiGate firewall and SSL VPN customers**, creating immediate account-takeover risk for affected...
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
Timeline
-
10.03.2026 18:21 2 articles · 4mo ago
FortiGate abuse campaign described in March 2026
Initial DisclosureSentinelOne described a new FortiGate abuse campaign affecting healthcare, government, and managed service provider environments, noting that threat actors used known vulnerabilities or weak credentials on FortiGate Next-Generation Firewall appliances to steal configuration files, extract service account credentials, and gain deeper access; the reporting also tied the campaign to a November 2025 breach that created a local administrator account named "support", a late January 2026 case that deployed Pulseway and MeshAgent, and a February 2026 phase that extracted encrypted LDAP credentials and enabled further access attempts.
Show sources
- FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials — thehackernews.com — 10.03.2026 18:21
- FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials — thehackernews.com — 10.03.2026 18:21