FortiBleed Breach Exposes 86K FortiGate Devices in Global Credential Campaign

CISA warns Fortinet customers about FortiBleed, a global credential-stuffing and brute-force campaign targeting internet-facing FortiGate firewalls and VPN gateways, with 86,644 devices compromised as of June 19, 2026. The attack, attributed to Russian-speaking actors, proceeds in two steps: scanning for exposed Fortinet endpoints, then using leaked or organization credentials to gain access, before passively harvesting more credentials. Sectors most affected include telecom, government, and education, with the U.K. NCSC calling it a worldwide campaign; many admins’ passwords remain SHA-256-hashed from older FortiGate versions, though PBKDF2 hashing is used in newer FortiOS releases. Fortinet maintains the incident data likely comes from prior breaches and brute-forcing, not a current advisory. CISA recommends terminating active sessions, resetting passwords on internet-facing systems, enforcing PBKDF2, applying strong password policies, enabling phishing-resistant MFA, reviewing logs, and reducing attack surfaces to mitigate risk.