FortiBleed: Why 75,000 Hacked Firewalls Should Make You Question Your Network Security

If you have not heard of FortiBleed yet, you need to. In mid-June 2026, security researchers uncovered one of the largest firewall credential breaches ever recorded. A criminal group had quietly built a verified database of working administrator and VPN passwords for over 75,000 Fortinet FortiGate firewalls across 194 countries. That figure represents roughly 50% of all internet-facing Fortinet devices in the world.

Major household names are in the compromised dataset: Samsung, Siemens, Foxconn, Oracle, Accenture, DHL, Infosys, and many more. This is not a niche technical incident. It is a systemic failure that affects organisations of every size, in every sector, on every continent.

What Is FortiBleed?

FortiBleed is the name given to an automated, large-scale credential harvesting campaign targeting Fortinet FortiGate firewalls and SSL VPN gateways. Security researcher Volodymyr “Bob” Diachenko discovered the attackers’ operational server had been accidentally left exposed online, revealing not just the stolen credentials but the entire operation: the tools, the automation, and the victim list.

The attackers used a combination of methods to build their database:

  • Credential reuse from previous Fortinet breaches. Earlier incidents, including a 2021 leak of nearly 500,000 FortiGate VPN accounts and a 2022 zero-day exploitation campaign, left millions of credentials circulating on criminal forums. Many organisations never rotated those passwords after those earlier incidents.
  • Infostealer malware logs. Credentials harvested by endpoint keyloggers capture passwords before any encryption is applied. Password complexity is irrelevant at that point.
  • Offline hash cracking. For SSL VPN sessions where credential stuffing failed, the group intercepted authentication hashes and cracked them offline using a 45-GPU distributed cracking cluster.
  • Self-feeding automation. Once a device was compromised, it was used to intercept VPN traffic passing through it, harvesting further credentials to feed back into the scanner.

The result is a structured, searchable database organised by country, sector, and organisation revenue: packaged for sale to other criminal groups looking to buy ready-made access to corporate networks.

Why Did So Many Devices Get Caught Out?

One of the most troubling details is that many of the compromised devices were running relatively recent versions of FortiOS. This was not simply a case of organisations failing to patch old vulnerabilities.

Here is the critical technical point: Fortinet introduced a more secure password hashing algorithm (PBKDF2) in FortiOS 7.2.11, 7.4.8, and 7.6.1. However, when a device was upgraded from an older version, existing administrator passwords remained stored using the weaker legacy SHA-256 method until each administrator actively logged in after the upgrade to trigger a re-hash. Many organisations upgraded their firmware and assumed the job was done. It was not. The old, crackable password hashes sat silently in configuration files, invisible to administrators, waiting to be extracted.

This is what security researchers have called the “Patching Paradox.” A firmware update is not the same as remediation if the underlying data, in this case the stored credential hashes, remains in a vulnerable state.

This Is Not Just a Fortinet Problem

If your organisation does not use Fortinet equipment, you might be tempted to read this as someone else’s problem. It is not.

FortiBleed is a symptom of a much wider issue: the assumption that perimeter security devices are trustworthy once deployed and patched. The reality is that firewalls, VPN gateways, and network appliances are high-value targets precisely because they sit at the edge of your network, they are often internet-facing, and they hold credentials that provide privileged access. Every manufacturer has had incidents of this type. Palo Alto, Cisco, SonicWall, and others have all seen similar campaigns in recent years.

The broader lesson from FortiBleed applies to every organisation:

  • Credentials do not expire on their own. A password leaked in a breach two years ago is still valid today if it has never been changed.
  • Patching is necessary but not sufficient. Applying updates does not automatically remediate data that was already compromised before the patch was applied.
  • Internet-facing management interfaces are a significant risk. If your firewall or VPN admin panel is reachable from the public internet, it is a target.
  • Password complexity does not protect against credential theft. A 20-character random password is just as exposed as a simple one if it is captured by infostealer malware or extracted from a configuration file.

What Should You Do Right Now?

Whether or not you use Fortinet products, FortiBleed is a useful prompt to review your own network security posture. Here is what good practice looks like:

If You Use Fortinet Equipment

  • Check whether your domain or IP addresses appear in the FortiBleed dataset using Hudson Rock’s lookup tool.
  • Treat any listed device as compromised until proven otherwise. That means a full review: check for unauthorised admin accounts, altered firewall rules, and signs of lateral movement into your internal network.
  • Rotate all administrative and VPN credentials immediately.
  • Ensure administrators log in after upgrading FortiOS to force the re-hash to PBKDF2.
  • Enable the login-lockout-upon-weaker-encryption setting in FortiOS 7.2.x and 7.4.x to remove legacy SHA-256 hashes from stored configuration.
  • Remove management interface access from the public internet. Administration should be via internal networks or a dedicated out-of-band management path only.
  • Enable phishing-resistant multi-factor authentication on all administrative and remote access accounts.

For All Organisations

  • Audit what is internet-facing. Management interfaces for firewalls, switches, servers, and other infrastructure should never be reachable from the public internet unless there is a specific, documented, and monitored business requirement.
  • Enforce MFA everywhere. Multi-factor authentication is the single most effective control against credential-based attacks. If an attacker has your password but cannot pass MFA, they cannot get in.
  • Rotate credentials regularly and after every known breach. If your organisation has ever appeared in a publicly disclosed breach, assume any credentials that existed at that time may be in criminal databases today.
  • Review your patch process. Make sure your patching process includes verification steps, not just the application of updates. Understand what each patch does and does not remediate.
  • Monitor for suspicious activity. Review authentication logs for unusual login times, unfamiliar source IP addresses, and access from unexpected locations.

The Bigger Picture

FortiBleed is a reminder that cyber threats have evolved well beyond the simple “bad actor exploits a vulnerability” model. Modern criminal operations are industrialised. The group behind FortiBleed was not conducting targeted attacks against specific organisations. They were running a factory: scanning the entire internet automatically, testing credentials at scale, cracking hashes with GPU clusters, and packaging the results for sale, sorted by industry and company revenue to make it easy for buyers to pick their targets.

Your organisation’s security posture needs to account for this reality. The question is not whether attackers will try to get in. The question is whether your controls will stop them when they do.

How System Force IT Can Help

At System Force IT, network security and perimeter hardening are core parts of what we do. Whether you are concerned about your current firewall configuration, want an independent review of what is exposed from the internet, or need help implementing MFA across your infrastructure, we can help.

If you would like to talk through your current security posture, get in touch with our team. We work with businesses across Gloucestershire and beyond to make sure their defences hold up in the real world, not just on paper.


FortiBleed was identified by researchers in mid-June 2026 and is an active, ongoing campaign. This article reflects information available as of 21 June 2026. Organisations using Fortinet products should continue to monitor Fortinet’s official advisories and CISA guidance for updates.

Table of Contents

Would you like to know how we can help?

Get in touch

Name