Initial access broker (IAB) campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
The FortiBleed campaign is actively harvesting credentials from Fortinet FortiGate devices, exposing authentication secrets across a worldwide target set and increasing corporate network compromise risk. The operator is described as an initial access broker using credential stuffing and brute-force attacks to gain device access and pivot into corporate networks. A custom sniffer then captures credentials and password hashes from traffic traversing compromised firewalls.
Related Happenings
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware Activity
H score72
First: 22.06.2026 23:01
Last: 22.06.2026 23:01
Sources 1
How related:
One of the researchers' findings is the alleged use of a Golang-based tool dubbed "FortigateSniffer," which abuses FortiOS's built-in diagnose sniffer packet functionality to capture authentication traffic traversing compromised FortiGate devices.
About this happening:
The **FortigateSniffer** tool was used on compromised **FortiGate devices** to capture authentication traffic and extract credentials, creating a direct path to credential theft a...
FortigateSniffer FortiOS packet-sniffer credential-harvesting tool
Malware ActivityHow related: One of the researchers' findings is the alleged use of a Golang-based tool dubbed "FortigateSniffer," which abuses FortiOS's built-in diagnose sniffer packet functionality to capture authentication traffic traversing compromised FortiGate devices.
About this happening: The **FortigateSniffer** tool was used on compromised **FortiGate devices** to capture authentication traffic and extract credentials, creating a direct path to credential theft a...
CISA warning on FortiBleed for FortiGate customers
Public Sector Action
H score89
First: 19.06.2026 17:00
Last: 19.06.2026 17:00
Sources 1
About this happening:
**CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA warning on FortiBleed for FortiGate customers
Public Sector ActionAbout this happening: **CISA** warned **Fortinet** customers with **FortiGate appliances** to secure exposed systems against ongoing malicious activity tied to **FortiBleed**. The activity had reached...
CISA FortiBleed mitigation guidance
Advisory/Mitigation
H score67
First: 19.06.2026 09:47
Last: 19.06.2026 09:47
Sources 1
About this happening:
**CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...
CISA FortiBleed mitigation guidance
Advisory/MitigationAbout this happening: **CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
Campaign
H score82
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign
CampaignAbout this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...
FortiBleed Fortinet/FortiGate VPN credential leak
Data Leak
H score80
First: 17.06.2026 18:12
Last: 17.06.2026 18:12
Sources 1
About this happening:
**FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
FortiBleed Fortinet/FortiGate VPN credential leak
Data LeakAbout this happening: **FortiBleed** is a **data leak** of **Fortinet/FortiGate VPN credentials** that now includes a verified database of **86,644 confirmed working credentials** collected from **inte...
Latest development: 19.06.2026 09:47
CISA urged Fortinet customers to secure FortiGate appliances after nearly 74,000 firewall and VPN credentials were exposed in the FortiBleed leak. The agency advised affected owners to terminate SSL VPN and administrative sessions, reset VPN and administrative passwords, enable phishing-resistant multifactor authentication, review logs for unauthorized access or lateral movement, store admin credentials with PBKDF2, restrict firewall management interfaces from public internet access, and remove unauthorized accounts.
Timeline
-
22.06.2026 23:01 2 articles · 3h ago
FortiBleed campaign uses a custom FortiGate sniffer to steal credentials
Campaign Scope UpdateSOCRadar says the FortiBleed campaign targeting Fortinet FortiGate devices used a Golang-based tool called FortigateSniffer to abuse FortiOS's `diagnose sniffer packet` feature, capture authentication traffic on compromised firewalls, and extract credentials, password hashes, Kerberos tickets, NTLM material, email credentials, and database credentials. The operation was described as targeting more than 430,000 FortiGate firewalls worldwide and as having been active since at least February 2026.
Show sources
- FortiBleed campaign used custom FortiGate sniffer to steal credentials — www.bleepingcomputer.com — 22.06.2026 23:01
- FortiBleed campaign used custom FortiGate sniffer to steal credentials — www.bleepingcomputer.com — 22.06.2026 23:01