Fortinet has issued an urgent security advisory warning customers about an active credential-harvesting campaign targeting FortiGate network devices, now tracked as FortiBleed.
Unlike many high-profile attacks, this campaign does not exploit a newly disclosed vulnerability or zero-day flaw; instead, it weaponizes poor password hygiene, credential reuse, and the absence of multi-factor authentication (MFA).
The advisory, published on June 19, 2026, by Fortinet PSIRT’s Carl Windsor, confirms that threat actors are systematically reusing credentials exposed in prior incidents, specifically FG-IR-26-060 and FG-IR-25-647, alongside automated brute-force and credential stuffing techniques to gain unauthorized access to internet-facing FortiGate appliances.
FortiBleed Credential Attacks on FortiGate
Attackers are targeting administrative and VPN accounts on externally exposed FortiGate devices using two primary methods: credential stuffing, which involves replaying previously leaked username-password combinations from earlier Fortinet-related incidents, and high-speed brute-force attacks, which are increasingly augmented by automation and AI tooling to accelerate account compromise at scale.
Fortinet’s analysis stresses that organizations that failed to apply prior remediation guidance remain disproportionately exposed, especially those with legacy password configurations or management interfaces accessible from the public internet.
The company has already identified potentially impacted systems and is proactively notifying affected customers while coordinating with relevant government agencies as part of its ongoing investigation.
Security teams should treat several activity patterns as active red flags within FortiGate environments. Unauthorized account creation is among the most telling signs, particularly accounts named “forticloud,” “fortiuser,” or “fortinet-support,” which Fortinet has specifically flagged as potential indicators of malicious persistence.
Defenders should also monitor for anomalous administrative logins, access from unrecognized IP addresses, unusual domain controller activity, unexpected VPN session initiations, and signs of lateral movement within internal networks.
Mitigations
Fortinet is urging immediate defensive action across all potentially affected deployments:
- Terminate all active administrative and VPN sessions immediately
- Reset all credentials across administrator and VPN accounts
- Implement MFA for every administrative and VPN account without exception
- Upgrade FortiOS to versions 7.4, 7.6, or 8.0, which introduce PBKDF2-based credential hashing, replacing weaker legacy encryption mechanisms
- Audit device configurations for unauthorized account creation or persistence indicators
- Restrict management access to trusted hosts only, apply local-in policies, or fully disable internet-facing administrative interfaces
- Monitor logs continuously for anomalous login patterns, unknown IP access, and privilege escalation attempts
Where compromise is suspected, Fortinet advises treating affected devices as fully compromised and initiating formal incident response procedures.
Organizations leveraging AD/LDAP authentication integrations should assume credential exposure and audit for unauthorized account use or privilege escalation attempts across connected environments.
Fortinet’s FortiGuard Incident Response team is available to assist with forensic investigation and containment for organizations unable to manage internal remediation independently.
The FortiBleed campaign reflects a broader, growing shift in threat actors’ tactics: exploiting identity infrastructure rather than patching delays.
As credential reuse, stuffing attacks, and AI-accelerated brute-force techniques continue to dominate initial access vectors, the incident reinforces a critical operational principle: perimeter security devices are only as strong as the credential policies protecting them.
MFA enforcement, proactive credential hygiene, and routine configuration auditing are no longer optional hardening measures; they are foundational security requirements for any internet-facing infrastructure.
No Comment! Be the first one.