FortiBleed Fortinet credential-theft campaign
Campaign
Summary
Hide ▲
Show ▼
The FortiBleed campaign has exposed 86,644 working credentials from internet-facing Fortinet infrastructure, creating broad risk of account takeover and network intrusion across 194 countries. Researchers link the operation to credential theft, SSL VPN authentication interception, and large-scale brute-force activity against FortiGate and MSSQL targets. The blast radius reaches thousands of organizations, with confirmed compromise at four organizations and additional exposure across government and critical infrastructure sectors.
Related Happenings
CISA FortiBleed mitigation guidance
Advisory/Mitigation
H score69
First: 19.06.2026 09:47
Last: 19.06.2026 09:47
Sources 1
How related:
On Thursday, CISA issued an alert on FortiBleed, urging Fortinet customers to take hardening actions: terminate active sessions and reset credentials, ensure they use Password-Based Key Derivation Function 2 (PBKDF2) algorithm to store admin logins, review logs to identify suspicious activity, enable phishing-resistant MFA, and lock down management access to reduce the attack surface.
About this happening:
**CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...
CISA FortiBleed mitigation guidance
Advisory/MitigationHow related: On Thursday, CISA issued an alert on FortiBleed, urging Fortinet customers to take hardening actions: terminate active sessions and reset credentials, ensure they use Password-Based Key Derivation Function 2 (PBKDF2) algorithm to store admin logins, review logs to identify suspicious activity, enable phishing-resistant MFA, and lock down management access to reduce the attack surface.
About this happening: **CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...
FortiBleed Fortinet/FortiGate VPN credential leak
Data Leak
H score80
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
How related:
“Discovered in June 2026, the operation has produced a verified database of over 86,644 confirmed working credentials across 194 countries, all collected from internet-facing Fortinet infrastructure,” the company says.
About this happening:
**FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
FortiBleed Fortinet/FortiGate VPN credential leak
Data LeakHow related: “Discovered in June 2026, the operation has produced a verified database of over 86,644 confirmed working credentials across 194 countries, all collected from internet-facing Fortinet infrastructure,” the company says.
About this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
Latest development: 19.06.2026 09:47
CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
Campaign
H score82
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
CampaignAbout this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation Wave
H score56
First: 28.05.2026 18:26
Last: 28.05.2026 18:26
Sources 1
About this happening:
**CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
FortiClient EMS CVE-2026-35616 exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-35616** exploitation in **FortiClient Enterprise Management Server (EMS)** is being used to deliver the undocumented credential stealer **EKZ**. Attackers are abusing u...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
H score39
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
Timeline
-
19.06.2026 13:48 2 articles · 1h ago
CISA urges hardening after FortiBleed exposes Fortinet credentials
Initial DisclosureCISA urged organizations to harden internet-accessible Fortinet devices after the FortiBleed credential-theft campaign was linked to more than 86,000 firewalls and VPNs. Researchers described 86,644 confirmed working credentials collected from Fortinet infrastructure across 194 countries, with guidance to terminate active sessions, reset credentials, use PBKDF2 for admin logins, review logs, enable phishing-resistant MFA, and lock down management access.
Show sources
- FortiBleed: 86,000 Fortinet Device Credentials Compromised — www.securityweek.com — 19.06.2026 13:48
- FortiBleed: 86,000 Fortinet Device Credentials Compromised — www.securityweek.com — 19.06.2026 13:48