Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

FortiBleed multi-vendor brute-force wave

Exploitation Wave
First reported
Last updated
Happening score
H score 75
1 unique sources, 1 articles

Summary

Hide ▲

A multi-vendor brute-force wave tied to FortiBleed is hitting Fortinet, Synology, Sophos, Citrix, RDWeb, and MS-SQL targets, expanding the risk from one firewall-focused operation into a broader exposed-services campaign.

Cases

FortiBleed credential-harvesting operation expands from FortiGate to broader exposed services (2)

Related Happenings

Initial access broker (IAB) campaign expands across multiple victims

Campaign
H score89 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

How related: A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally.

About this happening: The **FortiBleed** campaign is a live **credential-harvesting** activity targeting **Fortinet FortiGate** devices worldwide. It has been active since at least **February 2026** an...

Latest development: 23.06.2026 13:30

On June 15, attackers behind FortiBleed successfully cracked Kerberos hashes and immediately exfiltrated DFS backup data from a NATO-aligned defense contractor, extending the campaign from credential harvesting into direct data theft.

Open Happening

FortigateSniffer FortiOS packet-sniffer credential-harvesting tool

Malware Activity
H score72 First: 22.06.2026 23:01 Last: 22.06.2026 23:01 Sources 1

How related: Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances.

About this happening: **FortigateSniffer** is a **Golang-based credential-harvesting tool** used in the **FortiBleed** operation against **FortiGate firewalls**. It abuses **FortiOS** packet-sniffing f...

Open Happening

Russian-speaking FortiGate and Microsoft SQL Server bruteforce campaign

Campaign
H score82 First: 17.06.2026 18:12 Last: 17.06.2026 18:12 Sources 1

About this happening: A Russian-speaking multi-operator threat group ran a **FortiGate** and **Microsoft SQL Server** bruteforce campaign that generated **billions of credential attempts**, raising the...

Open Happening

FortiSandbox unauthenticated command injection (CVE-2026-25089)

Vulnerability
H score47 First: 16.06.2026 13:30 Last: 16.06.2026 13:30 Sources 1

About this happening: **CVE-2026-25089** is an **unauthenticated operating system command injection** in **FortiSandbox**-related products that was seen in **active exploitation** over the **past 24 ho...

Open Happening

Fortinet FortiSandbox multi-CVE exploitation wave

Exploitation Wave
H score49 First: 16.06.2026 12:19 Last: 16.06.2026 12:19 Sources 1

About this happening: **Fortinet FortiSandbox** is facing an **active exploitation wave** that puts **affected deployments** at risk of **unauthenticated remote code execution** and **privilege escalat...

Open Happening

Timeline

  1. 23.06.2026 21:20 2 articles · 4h ago

    FortiBleed expands into a multi-vendor brute-force wave

    Campaign Scope Update

    The FortiBleed operation broadens into automated brute-forcing against Fortinet devices, Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers, marking a multi-vendor initial access wave that starts on February 28, 2026.

    Show sources
    Open in new tab
  2. 23.06.2026 21:20 1 articles · 4h ago

    FortiGate capture cycle begins on compromised appliances

    Technical Analysis Update

    After SSH access is established on FortiGate appliances, FortigateSniffer is deployed to passively intercept authentication traffic through FortiOS diagnostic commands, including -diagnose sniffer packet, with the FortiGate-related capture cycle commencing on May 19, 2026.

    Show sources
    Open in new tab
  3. 23.06.2026 21:20 1 articles · 4h ago

    SOCRadar details FortiBleed's 110-million-credential harvesting operation

    Initial Disclosure

    SOCRadar discloses that FortiBleed has targeted over 430,000 FortiGate firewalls globally, with attackers launching 659 credential-harvesting pipelines on May 31 and June 15, 2026, extracting over 110 million credentials and focusing on SMBs, the United States, India, and IT services while cracking hashes with Hashmat and Hashtopolis under HASHBOT control.

    Show sources
    Open in new tab