Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
First reported
Last updated
Happening score
H score 89
1 unique sources, 1 articles

Summary

Hide ▲

CISA warned Fortinet customers with FortiGate appliances to secure exposed systems against ongoing malicious activity tied to FortiBleed. The activity had reached 86,644 compromised devices by June 19, 2026 and was targeting internet-accessible gateways and administrators. CISA directed operators to terminate active sessions, reset passwords, enforce strong password policies, and enable phishing-resistant MFA.

Related Happenings

FortiBleed Fortinet credential-theft campaign

Campaign
H score89 First: 19.06.2026 13:48 Last: 19.06.2026 13:48 Sources 1

How related: The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed.

About this happening: The **FortiBleed** campaign is an ongoing **Fortinet credential-theft** activity tied to **internet-accessible FortiGate appliances** and other Fortinet firewalls and VPN gateways...

Open Happening

CISA FortiBleed mitigation guidance

Advisory/Mitigation
H score67 First: 19.06.2026 09:47 Last: 19.06.2026 09:47 Sources 1

How related: CISA has outlined the following recommendations to defend against the activity -

About this happening: **CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...

Open Happening

FortiBleed Fortinet/FortiGate VPN credential leak

Data Leak
H score80 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...

Latest development: 19.06.2026 09:47

CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.

Open Happening

Fortinet FortiSandbox multi-CVE exploitation wave

Exploitation Wave
H score49 First: 16.06.2026 12:19 Last: 16.06.2026 12:19 Sources 1

About this happening: **Fortinet FortiSandbox** is facing an **active exploitation wave** that puts **affected deployments** at risk of **unauthenticated remote code execution** and **privilege escalat...

Open Happening

JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices

Malware Activity
H score33 First: 10.06.2026 19:08 Last: 10.06.2026 19:08 Sources 1

About this happening: The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...

Open Happening

Timeline

  1. 19.06.2026 17:00 1 articles · 2h ago

    Working Fortinet credentials database surfaces on exposed server

    Initial Disclosure

    Security researcher Volodymyr "Bob" Diachenko discovered a server holding a database of working login credentials for thousands of Fortinet firewalls and VPN gateways across 194 countries, and SOCRadar said the same server also staged the operator's tools and automation scripts.

    Show sources
    Open in new tab
  2. 19.06.2026 17:00 1 articles · 2h ago

    FortiBleed operators mass-scan Fortinet endpoints and spray stolen passwords

    Exploitation Observed

    The FortiBleed operators mass-scan Fortinet remote login endpoints, spray identified devices with known login and password combinations, and then monitor traffic through compromised appliances to harvest additional credentials for further compromise.

    Show sources
    Open in new tab
  3. 19.06.2026 17:00 1 articles · 2h ago

    FortiBleed compromises 86,644 FortiGate devices across 194 countries

    Campaign Scope Update

    FortiBleed reached 86,644 compromised devices as of June 19, 2026, with telecom, government, and education emerging as the most impacted sectors and the largest exposures located in India, the U.S., Mexico, Colombia, and Thailand.

    Show sources
    Open in new tab
  4. 19.06.2026 17:00 2 articles · 2h ago

    CISA directs Fortinet customers to reset credentials and enable phishing-resistant MFA

    Mitigation Patch Update

    CISA directed Fortinet customers to terminate active SSL VPN and administrative sessions, reset Fortinet VPN and administrative passwords, enforce strong password policies, enable phishing-resistant MFA, and reduce the attack surface, while Fortinet said PBKDF2-based password hashing in FortiOS 7.2.11, 7.4.8, and 7.6.1 replaces the legacy SHA-256-based storage mechanism.

    Show sources
    Open in new tab