Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

Malware Activity
First reported
Last updated
Happening score
H score 72
1 unique sources, 1 articles

Summary

Hide ▲

The FortigateSniffer tool was used on compromised FortiGate devices to capture authentication traffic and extract credentials, creating a direct path to credential theft and offline password cracking. It abused FortiOS's `diagnose sniffer packet` feature and monitored traffic for secrets from protocols such as RADIUS, NTLM, Kerberos, and LDAP. The activity sat inside the broader FortiBleed operation, which targeted more than 430,000 FortiGate firewalls worldwide and has been active since at least February 2026.

Related Happenings

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

How related: According to SOCRadar, the operation targeted more than 430,000 FortiGate firewalls worldwide and has been active since at least February 2026.

About this happening: The **FortiBleed** campaign is actively harvesting credentials from **Fortinet FortiGate** devices, exposing authentication secrets across a **worldwide** target set and increasin...

Open Happening

CISA warning on FortiBleed for FortiGate customers

Public Sector Action
H score89 First: 19.06.2026 17:00 Last: 19.06.2026 17:00 Sources 1

About this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...

Open Happening

CISA FortiBleed mitigation guidance

Advisory/Mitigation
H score67 First: 19.06.2026 09:47 Last: 19.06.2026 09:47 Sources 1

About this happening: **CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...

Open Happening

FortiBleed Fortinet/FortiGate VPN credential leak

Data Leak
H score80 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...

Latest development: 19.06.2026 09:47

CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.

Open Happening

Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign

Campaign
H score82 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...

Open Happening

Timeline

  1. 22.06.2026 23:01 2 articles · 3h ago

    FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

    Initial Disclosure

    A Golang-based **FortigateSniffer** deployment began on compromised **FortiGate devices** after administrative access was obtained. It launched FortiOS packet sniffing to monitor authentication flows and collect credentials.

    Show sources
    Open in new tab