Introduction
Large-scale intrusion campaigns rarely rely on cutting-edge technical sophistication. FortiBleed — revealed in mid-June 2026 by researchers at SOCRadar and Hudson Rock — makes that point with brutal clarity: more than 30,000 Fortinet firewalls and VPN gateways compromised across 194 countries, with zero unknown vulnerabilities exploited. The attackers' entry point was far simpler, and far more troubling: password lists harvested from previous breaches, combined with perimeter devices whose credentials no organisation had ever bothered to rotate.
Stale Credentials as the Primary Attack Vector
The threat group behind the campaign — presumed to be Russian-speaking — operated methodically. Armed with password databases collected from past Fortinet device compromises, they deployed automated tooling to scan the internet for exposed FortiGate instances and test credentials against each one. The operation involved approximately 1.16 billion authentication attempts against more than 320,000 identified targets.
The technique — credential stuffing — is nothing new. What sets FortiBleed apart is how deliberately it exploited a well-known organisational blind spot: after a data breach, IT teams typically rotate passwords on user endpoints and customer-facing services, but consistently overlook credentials on network perimeter devices. Firewalls, routers, and VPN concentrators fall off the checklist. The attackers knew this and made them their primary target.
A Self-Reinforcing Attack Cycle
The campaign's mechanics didn't stop at initial compromise. Once inside a device, the group converted it into a passive listening post: the equipment continued filtering legitimate corporate traffic while quietly capturing every credential in transit — internal application logins, VPN authentications, administrative sessions. That harvested data fed straight back into the password lists used to compromise the next wave of targets.
The result is a self-reinforcing cycle: each breached firewall expands the group's collection capacity, gradually building a network of discreet sensors embedded inside victims' infrastructure. Hudson Rock estimated more than 73,000 unique Fortinet URLs were affected — a figure significantly higher than the 30,000 confirmed devices cited by SOCRadar.
Victims Include Some of the World's Largest Organisations
The organisations identified in the exfiltrated data span a wide range: consulting firms, technology giants, industrial groups, banks, telecoms operators, and healthcare providers. Names including Accenture, Oracle, Samsung, Siemens, PwC, Comcast, Foxconn, and Lenovo appeared in the databases assembled by the attackers. The most heavily targeted countries were India, the United States, Taiwan, and Mexico — but with activity across 194 countries, FortiBleed is unambiguously a global problem.
What Security Teams Must Do Now
FortiBleed puts a direct question to every security leader: does your password rotation policy actually cover perimeter devices? Too often, the honest answer is no. Several priority actions are clear:
- Audit credentials on all internet-facing firewalls and VPN gateways, starting by verifying whether they were rotated following previously disclosed Fortinet-related breaches.
- Enable multi-factor authentication on all network device administration interfaces — a control still absent from many production environments.
- Monitor published indicators of compromise from research teams, particularly mass authentication attempts and connections originating from unusual IP ranges.
- Segment management access so that administration interfaces are never directly reachable from the public internet.
Technical sophistication was not the deciding factor in this campaign. It was credential hygiene — neglected on devices that organisations treat as permanent fixtures precisely because they rarely fail — that enabled one of the year's largest network perimeter compromises.